See api-docs Menu

Generate Tokens

Generate an access token and refresh token that you can use to call our resource APIs.

We are following the RFC specification. For the request the RFC section 1.3.4, and for the response the RFC section 5.1.

For an overview of the authorization flow, see Authorizing Resource API Calls.

Once generated, an access token is valid for 10 hours.

Assuming that you are using the same client_id and client_secret, this request will return the same token set until the token expires or is revoked.

Call the Get Rate Limit API to view current rate limits and usage for your account. Alternatively, you can find rate limit values in the response header for a resource API call.

API Credentials are linked to the owner that created them. Therefore if you delete a user, any credentials they created will fail to work and return an HTTP 500 error. In this case you will need to generate a new set of credentials.

Resource URL

https://<subdomain>.onelogin.com/auth/oauth2/v2/token

Sample Code

Replace sample values indicated by < > with your actual values.

With Content-Type application/json


curl 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
  "grant_type":"client_credentials"
}'
      

With Content-Type application/x-www-form-urlencoded


curl 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>''
      

const request = require("request")

let options = {
  method: 'POST',
  uri: 'https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
  auth: {
    user: 'ONELOGIN CLIENT ID',
    pass: 'ONELOGIN CLIENT SECRET'
  },
  json: {
    grant_type: 'client_credentials'
  }
}

request(options, function(error, response, body){
  let accessToken = body.access_token
})
      

This example uses Dotnet Core 2.0


using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;

.....

public async Task<string> GetAccessToken()
{
    var client = new HttpClient();

    var credentials = string.Format("{0}:{1}", "ONELOGIN CLIENT ID", "ONELOGIN CLIENT SECRET");

    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
        "Basic",
        Convert.ToBase64String(Encoding.UTF8.GetBytes(credentials))
    );

    var request = new HttpRequestMessage(){
        Method = HttpMethod.Post,
        RequestUri = new Uri("https://subdomain.onelogin.com/auth/oauth2/v2/token"),
        Content = new StringContent("{ \"grant_type\": \"client_credentials\" }")
    };

    // We add the Content-Type Header like this because otherwise dotnet
    // adds the utf-8 charset extension to it which is not compatible with OneLogin
    request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

    var response = await client.SendAsync(request);
    var responseBody = await response.Content.ReadAsStringAsync();

    dynamic json = JsonConvert.DeserializeObject(responseBody);

    return json.access_token;
}
      

require 'httparty'

response = HTTParty.post('https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
  basic_auth: {
    username: 'ONELOGIN CLIENT ID',
    password: 'ONELOGIN CLIENT SECRET'
  },
  body: { grant_type: 'client_credentials' }.to_json,
  headers: {
    'content-type' => 'application/json'
  }
)

puts response['access_token']
      

import requests

r = requests.post('https://<subdomain>.onelogin.com/auth/oauth2/v2/token',
  auth=('ONELOGIN CLIENT ID','ONELOGIN CLIENT SECRET'),
  json={
    "grant_type": "client_credentials"
  }
)
response = r.json()

print(response['access_token'])
      

CloseableHttpClient client = HttpClientBuilder.create().build();

HttpPost request = new HttpPost("https://subdomain.onelogin.com/auth/oauth2/v2/token");

String credentials = String.format("%s:%s", "ONELOGIN CLIENT ID" , "ONELOGIN CLIENT SECRET");
byte[] encodedAuth = Base64.getEncoder().encode(credentials.getBytes());
String authHeader = "Basic " + new String(encodedAuth);

request.setHeader("Authorization", authHeader);
request.addHeader("Content-Type", "application/json");
request.setEntity(new StringEntity("{ \"grant_type\": \"client_credentials\" }", "UTF-8"));

try {
  CloseableHttpResponse reponse = client.execute(request);

  String content = EntityUtils.toString(reponse.getEntity());

  JSONObject json = new JSONObject(content);

  String accessToken = json.getString("access_token");

  System.out.println(accessToken);

} catch (IOException e) {
    e.printStackTrace();
}
      

Header Parameters

Authorization

required

string

Only required when Content-Type is set to application/json.

Set to Basic <base64 encoded "clientId:clientSecret">.

e.g. Using Node.js this would be

new Buffer(`${client_id}:${client_secret}`).toString('base64');
        

For details about getting a client ID and client secret, see API Credentials.

Content-Type

required

string

Set to application/json or application/x-www-form-urlencoded.

Request Parameter

grant_type

required

string

Set to client_credentials.

Sample Request Body

When using Content-Type application/json

{
   "grant_type": "client_credentials"
}

When using Content-Type application/x-www-form-urlencoded

grant_type=client_credentials&client_id=xxxx&client_secret=yyyyy

Sample Response


        {
            "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34xxxxx51",
            "created_at": "2015-11-11T03:36:18.714Z",
            "expires_in": 36000,
            "refresh_token": "628x9x0xx447xx4x421x517x4x474x33x2065x4x1xx523xxxxx6x7x20",
            "token_type": "bearer",
            "account_id": 555555
        }

Typically, the following error means that your grant_type value is incorrect. The grant_type in your request body must be set to client_credentials. See Sample Request Body above for an example.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "grant_type is incorrect/absent"
 }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
 }
}

Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "The authorization information is missing"
 }
}

Typically, this error means that your client_id and/or client_secret values are invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
 }
}

Typically, this error means that you are using the incorrect method. Ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
 }
}

Response Elements

access_token

Provides the requested access token. You can use this token to call our resource APIs.

created_at

Time at which the access token was generated.

expires_in

Indicates that the generated access token expires in 36,000 seconds, 600 minutes, or 10 hours.

An expired access token cannot be used to make resource API calls, but it can still be used along with its associated refresh token to call the Refresh Tokens v2 API.

token_type

Indicates that the generated access token is a bearer token.

account_id

Account ID associated with the API credentials used to generate the token.

refresh_token

Deprecated

According to RFC6749 section 4.4.3 the Refresh Token should not be returned with a Client Credentials grant and is planned for removal from this API response.

Provides the refresh token that is uniquely paired with the access token. You can use this token to request a refresh to its associated access token.

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OAuth 2.0 Tokens API version 2


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.