Task 1 – Obtain an Access Token
This task generates an access token for authenticating subsequent API calls in the walkthrough. The token requires a specific scope to grant access to necessary resources. In Step 3, replace the placeholder <REQUIRED_SCOPE>
with data:read data:create data:write code:all
to obtain an access token with a sufficient scope for the rest of this walkthrough.
By the end of this task, you will know how to obtain a two-legged access token when the Client ID and Client Secret are known.
You use the following operation for this task:
Operation | HTTP Request |
---|---|
Get an Access Token | POST /token |
Step 1 - Register an App
Follow the instructions in the tutorial Create an app to register an app for this tutorial. Note down the Client ID and Client Secret you receive for the app. When specifying details of the app, don’t change the APIs selected by default under API Access.
Step 2: Encode your Client ID and Client Secret
Before requesting an access token, you’ll need to encode your credentials in a special format to ensure the data you send is secure. This is how you do it:
- Concatenate your Client ID and Client Secret with a colon character (:) in between, as shown below.
<CLIENT_ID>:<CLIENT_SECRET>
- Use the appropriate function or method in your preferred programming language to encode the combined string to the Base64 format. Examples:
Programming Language Method/Function JavaScript btoa()
functionPython b64encode()
function from thebase64
moduleC# Convert.ToBase64String()
methodconst clientId = "<CLIENT_ID>"; const clientSecret = "<CLIENT_SECRET>"; const clientAuthKeys = btoa(clientId +":"+clientSecret);
import base64 clientId = "<CLIENT_ID>" clientSecret = "<CLIENT_SECRET>" clientAuthKeys = base64.b64encode((clientId + ":" + clientSecret).encode("ascii")).decode("ascii")
using System; using System.Text; string clientId = "<CLIENT_ID>"; string clientSecret = "<CLIENT_SECRET>"; string combinedKeys = clientId + ":" + clientSecret; byte[] bytesToEncode = Encoding.UTF8.GetBytes(combinedKeys); string encodedText = Convert.ToBase64String(bytesToEncode);
Show MoreNote: There are online tools that you can use to convert the combined string to a Base64 encoded string. However, we don’t recommend that you use such tools. Exposing your Client ID and Client Secret to an online tool can pose a security threat.
You should receive a string that looks like
RjZEbjh5cGVtMWo4UDZzVXo4SVgzcG1Tc09BOTlHVVQ6QVNOa3c4S3F6MXQwV1hISw==
.
Step 2: Use encoded string to obtain an Access Token
Call POST token:
The Base64 encoded Client ID + Client Secret are passed through the Authorization
header. The grant_type
and scope
are specified as form fields in the request body.
Request
curl -v 'https://developer.api.autodesk.com/authentication/v2/token' \
-X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Authorization: Basic <BASE64_ENCODED_STRING_FROM_STEP_1>' \
-d 'grant_type=client_credentials' \
-d 'scope=<REQUIRED_SCOPE>'
Response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, no-store
Content-Type: application/json;charset=UTF-8
Date: Mon, 20 Feb 2017 04:46:41 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apigee Router
Set-Cookie: PF=2xeh6LTdKKqibsTu9HlyM5;Path=/;Secure;HttpOnly
X-Frame-Options: SAMEORIGIN
Content-Length: 436
Connection: keep-alive
{
"token_type": "Bearer",
"expires_in": 1799,
"access_token": "<ACCESS_TOKEN>"
}
Notes:
- Note down the access token (indicated by
<ACCESS_TOKEN>
) in the response. You will use this value to authenticate all subsequent requests in this tutorial. - The access token expires in the number of seconds specified by the
expires_in
attribute.