Generate Tokens
Generate an access token and refresh token that you can use to call our resource APIs.
This API endpoint returns a response that includes status, which is not standard for OAuth 2.0, and which does not work with out-of-the-box OAuth 2.0 clients. We continue to support this endpoint, but recommend that for new development you use the Generate Tokens v2 API.
For an overview of the authorization flow, see Authorizing Resource API Calls.
Once generated, an access token is valid for 10 hours.
An access token has a rate limit of 5,000 calls per hour. If an access token surpasses this limit, API calls will return an error. After the hour has passed, the count will be reset to a full 5,000 available calls.
Call the Get Rate Limit API to view current rate limits for an access token. Alternatively, you can find rate limit values in the response header for a resource API call.
Resource URL
https://<api-domain>/auth/oauth2/token
Header Parameters
Authorization required string |
Set to For details about getting a client ID and client secret, see API Credentials. |
Content-Type required string |
Set to application/json . |
Request Parameter
grant_type required string |
Set to |
Sample Request Body
{
"grant_type": "client_credentials"
}
Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
- 404 Not Found
{
"status": {
"error": false,
"code": 200,
"type": "success",
"message": "Success"
},
"data": [
{
"access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34xxxxx51",
"created_at": "2015-11-11T03:36:18.714Z",
"expires_in": 36000,
"refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523xxxxx6x7x20",
"token_type": "bearer",
"account_id": 555555
}
]
}
Typically, the following error means that your grant_type
value is incorrect. The grant_type
in your request body must be set to client_credentials
. See Sample Request Body above for an example.
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "grant_type is incorrect/absent"
}
}
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "Content Type is not specified or specified incorrectly.
Content-Type header must be set to application/json"
}
}
Typically, the following error means that your Authorization
header value is missing or incorrectly formatted. The Authorization
header format must be: client_id:<client_id>, client_secret:<client_secret>
.
{
"status": {
"error": true,
"code": 400,
"type": "bad request",
"message": "The authorization information is missing"
}
}
Typically, this error means that your client_id
and/or client_secret
values are invalid.
{
"status": {
"error": true,
"code": 401,
"type": "Unauthorized",
"message": "Authentication Failure"
}
}
Typically, this error means that you are using the incorrect method. Ensure that you are making a POST.
{
"status": {
"error": true,
"code": 404,
"type": "not found",
"message": "No Route Exists"
}
}
Response Elements
|
Provides the requested access token. You can use this token to call our resource APIs. |
|
Time at which the access token was generated. |
|
Indicates that the generated access token expires in 36,000 seconds, 600 minutes, or 10 hours. An expired access token cannot be used to make resource API calls, but it can still be used along with its associated refresh token to call the Refresh Tokens API. |
|
Provides the refresh token that is uniquely paired with the access token. You can use this token to request a refresh to its associated access token. For more information about refreshing access tokens, see Refresh Tokens. |
|
Indicates that the generated access token is a bearer token. |
|
Account ID associated with the API credentials used to generate the token. |
Postman Collection
Replace sample variables indicated by {{ }}
with your actual values.
Download for the OAuth 2.0 Tokens API
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl 'https://api.us.onelogin.com/auth/oauth2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
"grant_type":"client_credentials"
}'
C#
See Get Access Token and Users.
Python
See Work with OAuth 2.0 Tokens, Users, and Roles.
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.