Grant Type: Client Credentials

This page walks through how to retrieve an access_token via the Client Credentials grant.

The Client Credentials grant type is the simplest method of authentication to retrieve an access_token outside of the context of a user. With the Client Credentials grant type, an app sends its own credentials (the client ID and client secret) to our token endpoint.

For a Go1 partner, the client credentials grant type is most often used when onboarding new customer portals.

Example request

First, send your credentials, client ID and client secret, via a POST request to https://auth.go1.com/oauth/token, setting the grant type to client_credentials.

An example request might look like this:

curl --location --request POST 'https://auth.go1.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=client_credentials'

The server will reply with an access_token and the expiration time (12 hours).

{ 
	"token_type": "Bearer", 
	"expires_in": 43200, 
	"access_token": "OAUTH_TOKEN"
}
Access Token Usage

Once an access token has been provided, an application can use it to access the user's account. This access is limited to the scope provided and will only be available until the token expires or is removed.

An example of an API request, using curl might look like this. Note that the access token is included:

curl -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" "<https://api.go1.com/v2/ENDPOINT>"

Provided the access token remains valid, the request will be processed according to API specifications. If the access token expires or is removed, an 'Invalid token' error will be presented.