The Guide

Authorising your OKAPI requests

To be authenticated a request to OKAPI should carry an access token in its headers.

Request an Access token

Content-Type application/x-www-form-urlencoded

To obtain access to the OKAPI HTTP service we use the OAuth2 client credentials grant to provide an access_token.
The access_token provides access to the OKAPI services. It expires after one hour.
Please ensure that your backend application handles the lifecycle of the access token. More information about access_tokens can be found in the official OAuth spec:

To request the access_token you have to provide the client_id and your client_secret.

You will need the access_token for every subsequent request to okapi. It will expire after one hour.

Toggle arrow Example Request with cURL

curl \
-H "Cache-Control: no-cache" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=<client_id>" \
-d "client_secret=<client_secret>" \
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8


Adding token to the request

To authorise the request the access token should be added to the header with the key "Authorization". The value should be the access prefixed with the marker "Bearer".

Authorization Bearer {access_token}
Accept application/json

Toggle arrow Example Request with cURL

curl \
-X GET \
-H "Authorization: bearer <access_token>" \
-H "Accept: application/json"