Get a 2-Legged Token
Learn how to use the simplest authentication mechanism on APS with this example that acquires a token with the data:read
scope.
Before You Begin
Create an app. Note your Client ID and Client Secret.
Step 1: Convert Client ID and Secret to Base64 encoded string
You must combine your Client ID with the Client Secret and convert it to a Base64 encoded string before you can request a two-legged OAuth access token.
- Concatenate your Client ID and Client Secret with a colon character (:) in between, as shown below.
<CLIENT_ID>:<CLIENT_SECRET>
- Use the appropriate function or method in your preferred programming language to encode the combined string to the Base64 format. Examples:
Programming Language Method/Function JavaScript btoa()
functionPython b64encode()
function from thebase64
moduleC# Convert.ToBase64String()
methodNote: There are online tools that you can use to convert the combined string to a Base64 encoded string. However, we don’t recommend that you use such tools. Exposing your Client ID and Client Secret to an online tool can pose a security threat.
You should receive a string that looks like
RjZEbjh5cGVtMWo4UDZzVXo4SVgzcG1Tc09BOTlHVVQ6QVNOa3c4S3F6MXQwV1hISw==
.
Step 2: Use encoded string to obtain an Access Token
Call the POST token endpoint:
The Base64 encoded Client ID + Client Secret are passed through the Authorization
header. The grant_type
and scope
are specified as form fields in the request body.
curl -v 'https://developer.api.autodesk.com/authentication/v2/token' \
-X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Authorization: Basic <BASE64_ENCODED_STRING_FROM_STEP_1>' \
-d 'grant_type=client_credentials' \
-d 'scope=data:read'
A successful response, in relevant part, will look like this (though again, the example is formatted for ease of reading):
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, no-store
Content-Type: application/json;charset=UTF-8
Date: Mon, 20 Feb 2017 04:46:41 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
max-age: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apigee Router
Set-Cookie: PF=2xeh6LTdKKqibsTu9HlyM5;Path=/;Secure;HttpOnly
X-Frame-Options: SAMEORIGIN
Content-Length: 436
Connection: keep-alive
{
"token_type": "Bearer",
"expires_in": 1799,
"access_token": "eyJhbGciOiJIUzI1NiIsImtpZCI6Imp3dF9zeW1tZXRyaWNfa2V5X2RldiJ9.eyJjbGllbnRfaWQiOiJjWTFqcm1rQXhPSVptbnNsOVhYN0puVURtVEVETGNGeCIsImV4cCI6MTQ4NzU2NzgwMSwic2NvcGUiOlsiZGF0YTpyZWFkIl0sImF1ZCI6Imh0dHBzOi8vYXV0b2Rlc2suY29tL2F1ZC9qd3RleHAzMCIsImp0aSI6InJZcEZZTURyemtMOWZ1ZFdKSVVlVkxucGNWT29BTDg0dFpKbXlmZ29ORW1MakF0YVVtWktRWU1lYUR2UGlnNGsifQ.uzNexXCeu4efGPKGGhHdKxoJDXHAzLb28B2nSjrq_ys"
}
You can now use the access token to make calls to other API endpoints that require the data:read
scope and have an “app only” or “user context optional” authentication context until the token expires.