This page walks through how to retrieve an access and refresh token via the Password grant type.
If your application is in possession of a user's username and password, the password grant type can be used to exchange the user's credentials for an access_token and refresh_token without any user-level interactions.
It is recommended to use this flow if your application directly provisioned the user & customer portal you are authenticating with, and you have stored the username and password of the portal administrator you created.
For Go1 partners, the password grant type can be used as a disaster recovery measure, to automatically provision a new set of customers tokens should their original tokens be lost.
To retrieve a token via password grant, an example request might look like this:
curl --location --request POST 'https://auth.go1.com/oauth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'portal_name=<PORTAL_URL>' \ --data-urlencode 'scope=<SCOPES>' \ --data-urlencode 'username=<PORTAL_ADMIN_EMAIL>' \ --data-urlencode 'password=<PORTAL_ADMIN_PASSWORD>'
The server will reply with a new access token and refresh token, and the expiration time of the access token (12 hours). Note - the refresh token has an expiry of 90 days.
{ "token_type": "Bearer", "expires_in": 43200, "access_token": "OAUTH_TOKEN", "refresh_token": "OAUTH_REFRESH_TOKEN" }
Once an access token has been provided, an application can use it to access the user's account. This access is limited to the scope provided and will only be available until the token expires or is removed.
An example of an API request, using curl might look like this. Note that the access token is included:
curl -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" "<https://api.go1.com/v2/ENDPOINT>"
Provided the access token remains valid, the request will be processed according to API specifications. If the access token expires or is removed, an 'Invalid token' error will be presented.