Home
Getting started
Authentication
Grant Type: Client Credentials
Grant Type: Password
Grant Type: Refresh Token
Scope permissions
Regenerate client secret
Public API reference
Auth API reference
Power your offering with Go1 content
1. Connect to Go1
2. Discover content
3. Play content
4. Track learning
5. Manage content updates
6. Manage customer portals
Publish your content with Go1
1. Connect
2. Author
3. Distribute
4. Insights
Platform concepts
Manage groups
Manage user accounts
Webhook signatures
Support
Grant Type: Password Grant

This page walks through how to retrieve an access and refresh token via the Password grant type.

If your application is in possession of a user's username and password, the password grant type can be used to exchange the user's credentials for an access_token and refresh_token without any user-level interactions.
It is recommended to use this flow if your application directly provisioned the user & customer portal you are authenticating with, and you have stored the username and password of the portal administrator you created.
For Go1 partners, the password grant type can be used as a disaster recovery measure, to automatically provision a new set of customers tokens should their original tokens be lost. 
Example request
To retrieve a token via password grant, an example request might look like this:
curl --location --request POST 'https://auth.go1.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'portal_name=<PORTAL_URL>' \
--data-urlencode 'scope=<SCOPES>' \
--data-urlencode 'username=<PORTAL_ADMIN_EMAIL>' \
--data-urlencode 'password=<PORTAL_ADMIN_PASSWORD>'
  • If you are a Go1 Partner using this request to generate a token on behalf of a Customer Portal that you have provisioned, the client_id and client_secret used in the request should be your partner client id and secret (see Partner API Keys Setup Guide).
  • The portal_name field should contain the portal URL that you are authenticating with, displayed like so -  example.mygo1.com.
  • See a list of available scopes here.
The server will reply with a new access token and refresh token, and the expiration time of the access token (12 hours). Note - the refresh token has an expiry of 90 days. 
{ 
	"token_type": "Bearer", 
	"expires_in": 43200, 
	"access_token": "OAUTH_TOKEN", 
	"refresh_token": "OAUTH_REFRESH_TOKEN"
}
Access Token Usage
Once an access token has been provided, an application can use it to access the user's account. This access is limited to the scope provided and will only be available until the token expires or is removed.
An example of an API request, using curl might look like this. Note that the access token is included:
curl -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" "<https://api.go1.com/v2/ENDPOINT>"
Provided the access token remains valid, the request will be processed according to API specifications. If the access token expires or is removed, an 'Invalid token' error will be presented.