Client Credentials Flow
While the preferred authentication method for the 401GO API is the Authorization Code Flow, we allow certain partners to authenticate using the Client Credentials Flow. This flow is suitable for machine-to-machine authentication where user interaction is not required.
When to Use This Flow
- This method should only be used by approved partners.
- It is intended for server-to-server communication without direct user involvement.
Credential Distribution and Access
- Client credentials will be sent via secure email.
- During onboarding, we will determine which entities your client credentials can access and how to request additional permissions.
Authentication Steps
1. Obtain an Access Token
To authenticate, make a POST request to the token endpoint with your client credentials.
Endpoint:
POST https://app.401go.com/api/o/token/Headers:
Authorization: Basic BASE64_ENCODED(YOUR_CLIENT_ID:YOUR_CLIENT_SECRET)Content-Type: application/x-www-form-urlencoded
Request Parameters:
grant_type=client_credentialsscope=REQUESTED_SCOPES(optional, space-separated list of permissions)
Example Request:
curl -X POST "https://app.401go.com/api/o/token/" \
-H "Authorization: Basic BASE64_ENCODED(YOUR_CLIENT_ID:YOUR_CLIENT_SECRET)" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials"2. Receive the Access Token
A successful response will return an access token:
Example Response:
{
"access_token": "YOUR_ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "read write"
}3. Use the Access Token
Include the token in the Authorization header of API requests. Access tokens are valid for 60 minutes.
Example Request:
curl -X GET "https://app.401go.com/api/example-endpoint" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json"4. Token Expiry and Renewal
When the access token expires, request a new one using the same POST request with your client credentials.
Updated 2 months ago