Docs

Making your first API call using client_credentials auth flow

A short how-to showing how to use our oauth flow with a test request

Suggest Edits

Pre-requisites

You will need

  1. your API key x-api-key.
  2. your tenant reference x-andopen-tenant
  3. your client_id and client_secret

Enterprise customers will receive all three by
1password from the &Open team

🚧

For server-to-server calls, or “private clients”

we support other OAuth2 auth flows for building mobile or web apps and other “public client” uses

Please keep your client_id/client_secret safe.

Step 1: exchange your client credentials for a Bearer and refresh token

Make a call with these parameters and headers. Note that the x-andopen-client header is not used on the auth server, but it is on the api server

curl -X "POST" "https://auth.andopen.co/auth/token" \
     -H 'Content-Type: application/json' \
     -H 'x-api-key: <<x-api-key>>' \
     -d $'{
  "grant_type": "client_credentials",
  "tenant": "<<x-andopen-client>>",
  "client_id": "andopen_client_id_...",
  "client_secret": "..."
}'

For staging use, make calls to https://staging.auth.andopen.co

The 200 response from the server will contain an access_token and an optional refresh_token

{
  "token_type": "bearer",
  "expires_in": 4000,
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "...dae1",
  "scope": null
}

Step 2: optionally save the refresh_token

The refresh_token above can be used to generate a new token without client_id/client_secret and you can keep this in a secure cache, server memory or other secure location.

This is the refresh_token in the POST /auth/token response

Step 3: Make API calls as usual

Using the access_token in the POST /auth/token response, create a header value
of "Bearer", followed by a single space followed by the access_token

An access token of abc would look like Bearer abc

curl "http://api.andopen.co/" \
     -H 'x-api-key: <<x-api-key>>' \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'

All going well, the server will respond with 

"& for Makers - The &Open API - v0.1.0 (dd35125:dd351258)"

Updated 9 months ago