Authentication (OAuth)API ReferenceToken Endpoint

Token Endpoint

POST/openapi/v1/oauth/token

Obtain an access token for server-to-server API calls.

Submit your client_id, client_secret, and the target space_id to receive a Bearer token. The token is valid for 1 hour; cache it and request a new one ~60 seconds before expiry.


Request Parameters

application/x-www-form-urlencoded
grant_typeRequiredstring
Must be `client_credentials`.
client_credentials
client_idRequiredstring
The app's `client_id`.
client_secretRequiredstring(password)
The app's `client_secret`. Keep this value secure on your server; never expose it to clients.
space_idRequiredstring
The Space (tenant) to act within. The app must be installed in this Space.
scopeOptionalstring
Space-separated scopes to request. If omitted, defaults to all scopes granted to this app in the specified Space.

Request Example

"grant_type=client_credentials&client_id=SGCLxQk2mN8pR4vW1yH3jT5bZ6aE7cF0&client_secret=Kj3mN8pR4vW1xZ6bY2qT5hE9gA0cF7dLsUr4Qz8P&space_id=SGSPxQk2mN8pR4vW1yH3jT5bZ6aE7cF0&scope=envelope%3Acreate+envelope%3Aread"

Response Parameters

access_tokenRequiredstring
JWT access token. Valid for 1 hour.
token_typeRequiredstring
Always `Bearer`.
Bearer
expires_inRequiredinteger
Access token lifetime in seconds.
scopeOptionalstring
The scopes granted.

Response Example

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "envelope:create envelope:read"
}

Error Codes

HTTP StatusError CodeDescription
400invalid_requestMissing required parameters
400invalid_scopeRequested scope exceeds granted scope
400invalid_grantAuthorization grant is invalid or expired
400unsupported_grant_typeUnsupported grant_type
401invalid_clientInvalid client_secret
401invalid_clientUnknown or suspended client
500server_errorInternal server error.