6 Jun 2023

Using 3-legged OAuth v2 with Postman

We already have an article on how to use 3-legged authentication inside Postman, but that was using the OAuth v1 API.

Now we have OAuth v2 which needs to be used in a different way.

First of all you just need to select 'OAuth 2.0' on the 'Authorization' tab of the request where you need to use a 3-legged token:


Since the previous article was published Postman also added a nice new option called 'Authorize using browser' which enables you to take advantage of password managers in your web browser - plus if you're already logged into Autodesk with your account, you might not even have to type in your credentials again. The downside is that in this case you have to add a specific 'Callback URL' to your APS app on https://aps.autodesk.com/myapps/ which is 'https://oauth.pstmn.io/v1/callback'   

callback URL needed in APS app

If you're not using 'Authorize using browser' then just add whatever 'Callback URL' is currently used by your APS app to the 'Callback URL' field in Postman.

Beyond the above, these are the values you need to provide:

Grant Type: 'Authorization Code'

Auth URL: 'https://developer.api.autodesk.com/authentication/v2/authorize'

Access Token URL: 'https://developer.api.autodesk.com/authentication/v2/token'

Client ID: Client ID of your APS app

Client Secret: Client Secret of your APS app

Scope: it depend on what APS endpoints you'll want to call later. This should cover most cases: 'viewables:read data:read data:write data:create data:search bucket:create bucket:read bucket:update bucket:delete'

Client Authentication: 'Send as Basic Auth header'

3 legged authentication options

Then just click 'Get New Access Token' and log in with your Autodesk account. If you are using the 'Authorize using browser' option, then make sure that the pop-up blocker for that site is off:

Switch pop-up blocker off

After log-in click 'Open Postman', then inside Postman click 'Proceed' then 'Use Token'

back to postman app

Now you're ready to click 'Send' on the request 😀

Related Article