You can obtain an access token by providing the resource owner's username and password as an authorization grant. It requires the base64 encoded string of the
consumer-key:consumer-secret combination. You need to meet the following prerequisites before using the Token API to generate a token.
- A valid user account in the API Store. You can self sign up if it is enabled by an admin.
- A valid consumer key and consumer secret pair. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.
A running API Gateway instance (typically an API Manager instance should be running). For instructions on API Gateway, see Components.
- If the key manager is on a different server than the API Gateway, change the server URL (host and ports) of the key manager accordingly in the
<APIKeyManager><ServerURL>element of the
If you have multiple Carbon servers running on the same computer, change the port with an offset to avoid port conflicts.
Invoking the Token API to generate tokens
- Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64. Encoding to base64 can be done using the URL:
Here's an example consumer key and secret combination :
- Access the Token API by using a REST client such as the
- Assuming that both the client and the API Gateway are run on the same server, the token API url is https://localhost:8243/token
"grant_type=password&username=<username>&password=<password>&scope=<scope>". Replace the
<password>values as appropriate.
Tip: <scope> is optional.
You define scopes for your API's resources so that the resource can only be accessed through a token that had been issued for at least the scope belonging to the resource. For example, if a resource has a scope named 'update' and if the token is issued for the scopes 'read' and 'update', then the token is allowed to access the resource. If the token is issued for a scope named 'read', the request bearing the particular token will be blocked.
- headers -
Authorization: Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace the
<base64 encoded string>as appropriate.
For example, use the following cURL command to access the Token API. It generates two tokens as an access token and a refresh token. You can use the refresh token at the time a. or Curl, with the following parameters.
Instead of using the Token API, you can generate access tokens from the API Store's UI.