Generate Tokens
Generate an access token and refresh token that you can use to call our resource APIs.
We are following the RFC specification. For the request the RFC section 1.3.4, and for the response the RFC section 5.1.
For an overview of the authorization flow, see Authorizing Resource API Calls.
Once generated, an access token is valid for 10 hours.
Assuming that you are using the same client_id and client_secret, this request will return the same token set until the token expires or is revoked.
Call the Get Rate Limit API to view current rate limits and usage for your account. Alternatively, you can find rate limit values in the response header for a resource API call.
API Credentials are linked to the owner that created them. Therefore if you delete a user, any credentials they created will fail to work and return an HTTP 500 error. In this case you will need to generate a new set of credentials.
Resource URL
https://<subdomain>.onelogin.com/auth/oauth2/v2/token
Sample Code
- Curl
- Node.js
- Dotnet
- Ruby
- Python
- Java
Replace sample values indicated by < > with your actual values.
With Content-Type application/json
curl 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
"grant_type":"client_credentials"
}'
With Content-Type application/x-www-form-urlencoded
curl 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>''
const request = require("request")
let options = {
method: 'POST',
uri: 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
auth: {
user: 'ONELOGIN CLIENT ID',
pass: 'ONELOGIN CLIENT SECRET'
},
json: {
grant_type: 'client_credentials'
}
}
request(options, function(error, response, body){
let accessToken = body.access_token
})
This example uses Dotnet Core 2.0
using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;
.....
public async Task<string> GetAccessToken()
{
var client = new HttpClient();
var credentials = string.Format("{0}:{1}", "ONELOGIN CLIENT ID", "ONELOGIN CLIENT SECRET");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
"Basic",
Convert.ToBase64String(Encoding.UTF8.GetBytes(credentials))
);
var request = new HttpRequestMessage(){
Method = HttpMethod.Post,
RequestUri = new Uri("https://subdomain.onelogin.com/auth/oauth2/v2/token"),
Content = new StringContent("{ \"grant_type\": \"client_credentials\" }")
};
// We add the Content-Type Header like this because otherwise dotnet
// adds the utf-8 charset extension to it which is not compatible with OneLogin
request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
dynamic json = JsonConvert.DeserializeObject(responseBody);
return json.access_token;
}
require 'httparty'
response = HTTParty.post('https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
basic_auth: {
username: 'ONELOGIN CLIENT ID',
password: 'ONELOGIN CLIENT SECRET'
},
body: { grant_type: 'client_credentials' }.to_json,
headers: {
'content-type' => 'application/json'
}
)
puts response['access_token']
import requests
r = requests.post('https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
auth=('ONELOGIN CLIENT ID','ONELOGIN CLIENT SECRET'),
json={
"grant_type": "client_credentials"
}
)
response = r.json()
print(response['access_token'])
CloseableHttpClient client = HttpClientBuilder.create().build();
HttpPost request = new HttpPost("https://subdomain.onelogin.com/auth/oauth2/v2/token");
String credentials = String.format("%s:%s", "ONELOGIN CLIENT ID" , "ONELOGIN CLIENT SECRET");
byte[] encodedAuth = Base64.getEncoder().encode(credentials.getBytes());
String authHeader = "Basic " + new String(encodedAuth);
request.setHeader("Authorization", authHeader);
request.addHeader("Content-Type", "application/json");
request.setEntity(new StringEntity("{ \"grant_type\": \"client_credentials\" }", "UTF-8"));
try {
CloseableHttpResponse reponse = client.execute(request);
String content = EntityUtils.toString(reponse.getEntity());
JSONObject json = new JSONObject(content);
String accessToken = json.getString("access_token");
System.out.println(accessToken);
} catch (IOException e) {
e.printStackTrace();
}
Header Parameters
Authorization required string |
Only required when Content-Type is set to application/json. Set to e.g. Using Node.js this would be For details about getting a client ID and client secret, see API Credentials. |
Content-Type required string |
Set to application/json or application/x-www-form-urlencoded. |
Request Parameter
grant_type required string |
Set to |
Sample Request Body
When using Content-Type application/json
{
"grant_type": "client_credentials"
}When using Content-Type application/x-www-form-urlencoded
grant_type=client_credentials&client_id=xxxx&client_secret=yyyyySample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
- 404 Not Found
{
"access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34xxxxx51",
"created_at": "2015-11-11T03:36:18.714Z",
"expires_in": 36000,
"refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523xxxxx6x7x20",
"token_type": "bearer",
"account_id": 555555
}
Typically, the following error means that your grant_type value is incorrect. The grant_type in your request body must be set to client_credentials. See Sample Request Body above for an example.
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "grant_type is incorrect/absent"
}
}{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Content Type is not specified or specified incorrectly.
Content-Type header must be set to application/json"
}
}Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "The authorization information is missing"
}
}Typically, this error means that your client_id and/or client_secret values are invalid.
{
"status": {
"error": true,
"code": 401,
"type": "Unauthorized",
"message": "Authentication Failure"
}
}Typically, this error means that you are using the incorrect method. Ensure that you are making a POST.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "No Route Exists"
}
}Response Elements
|
|
Provides the requested access token. You can use this token to call our resource APIs. |
|
|
Time at which the access token was generated. |
|
|
Indicates that the generated access token expires in 36,000 seconds, 600 minutes, or 10 hours. An expired access token cannot be used to make resource API calls, but it can still be used along with its associated refresh token to call the Refresh Tokens v2 API. |
|
|
Indicates that the generated access token is a bearer token. |
|
|
Account ID associated with the API credentials used to generate the token. |
|
|
Deprecated According to RFC6749 section 4.4.3 the Refresh Token should not be returned with a Client Credentials grant and is planned for removal from this API response. Provides the refresh token that is uniquely paired with the access token. You can use this token to request a refresh to its associated access token. |
Postman Collection
Replace sample variables indicated by {{ }} with your actual values.
Download for the OAuth 2.0 Tokens API version 2
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.