See api-docs Menu

Working with API Credentials

To call any of our resource APIs, you must provide an OAuth 2.0 bearer access token in the Authorization header.

To get an OAuth 2.0 bearer access token, you must call the Generate Tokens API using an API credential pair: a client ID and a client secret.

Creating an API Credential Pair

  1. Access OneLogin as an account owner or administrator.

  2. Go to Developers > API Credentials.

  3. On the API Access page, click New Credential.

    Give your credential pair a meaningful name. This name will be very important if you ever need to re-access or delete the credentials.

    In this example, we’ve named the credentials using the name of the developer and app that will be using the credentials.

  4. Select a scope for the credentials.

    • Authentication Only

      Gives the credential pair the ability to generate an access token that can perform POST calls only to authentication endpoints, providing least privileged access to authentication code. These endpoints include:

      Verify Factor (SAML Assertion)
      Generate SAML Assertion
      Verify Factor (Login)
      Create Session Login Token
      Log User Out

    • Read Users

      Gives the credential pair the ability to generate an access token that can perform GET calls available for the User, Role, and Group API resources.

    • Manage users

      Gives the credential pair the ability to generate an access token that can perform GET, POST, PUT, and DELETE calls available for the User, Role, and Group API resources, with the exception of setting passwords and assigning and removing roles.

    • Read All

      Gives the credential pair the ability to generate an access token that can perform GET calls available for all API resources.

    • Manage All

      Gives the credential pair the ability to generate an access token that can perform GET, POST, PUT, and DELETE calls for all available API resources, including the ability to set passwords and assign and remove roles.

  5. Click Save.

    Copy your client secret and client ID for use in making the Generate Access Token API call that will provide the access token you need to make calls to API resources.

    Warning: Keep these credentials secure and take care to not inadvertently embed them in shared code.

  6. Click Done. The API Access page updates to reflect creation of the API credential pair.

Viewing an API Credential Pair

  1. Access OneLogin as an account owner or administrator.

  2. Go to SettingsAPI.

  3. On the API Access page, click the row that corresponds to your credential pair. The credentials display.

Deleting an API Credential Pair

Use this option if you want to permanently delete and stop an API credential pair from working and will not need to have them work again. Alternatively, you can use the Disable API Credential Pair option if you only want to temporarily stop an API credential pair from working.

Warning: Once you delete a credential pair, any access and refresh tokens generated by the credential pair will be revoked and will no longer work.

  1. Access OneLogin as an account owner or administrator.

  2. Go to SettingsAPI.

  3. On the API Access page, click the row that corresponds to your credential pair.
  4. Verify that you are working with the correct pair.

  5. Click Delete. You’ll be prompted to confirm your choice. The API credential pair and any access and refresh tokens it generated will stop working immediately.

Disabling (and Reenabling) an API Credential Pair

Use this option if you want to temporarily disable an API credential pair from working and want to be able to reenable them to work again. Alternatively, you can use the Delete API Credential Pair option if you want to permanently delete a credential pair.

Warning: Once you disable or delete a credential pair, any access and refresh tokens generated by the credential pair will be revoked and will no longer work.

  1. Access OneLogin as an account owner or administrator.

  2. Go to SettingsAPI.

  3. On the API Access page, click the row that corresponds to your credential pair.
  4. Verify that you are working with the correct pair.

  5. Click Disable. The API credential pair and any access and refresh tokens it generated will stop working after a few minutes.

  6. Once disabled, the API credential will display in the Disabled section of the API Access page.

  7. To reenable the API credential, click the API credential row in the Disabled section. Click Enable.

  8. The credentials are usable again and move out of the Disabled section of the API Access page.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.