Token

Description

The Authentication topic describes the overall OAuth2 authentication flow. Authorization represents the first step of an authorization grant, and this topic describes the access token step of that flow. In addition to issuing user access tokens as part of the authorization grant, this end-point can also be used to refresh access tokens as well as to issue application tokens.

The type of token issued is based on the grant_type parameter as follows:

The required request parameters vary based on the grant_type as specified in the following table:

grant_type

Required parameters

authorization_code

client_id, redirect_uri, code

refresh_token

client_id, refresh_token

client_credentials

client_id, client_secret

Request Parameters

Parameter

Details

client_id

(Required)

The ID of the registered application. Also referred to as APPID.

Example: client_id=GGjeDjEY6kKEiDmX

grant_type

(Required)

The type of grant requested.

Values: authorization_code, refresh_token, client_credentials

The type of token issued is based on the grant_type parameter as follows:

  • grant_type=authorization_code—Issues a user access_token and refresh_token based on the authorization code obtained in the authorization step. Access tokens are usually short lived (typically 30 minutes). Apps can get a new access_token by using the refresh_token obtained with this grant.
  • grant_type=refresh_token—Issues a new access_token by using the refresh_token obtained above.
  • grant_type=client_credentials—Issues an app access_token for the client_id specified in the request.
redirect_uri

(Required when grant_type=authorization_code)

The URI specified during the authorization step. The URI must match; otherwise, authorization will be rejected.

Example: redirect_uri=http://app.example.com/cb

code

(Required when grant_type=authorization_code)

The authorization code obtained as a result of the authorization step.

Example: code=KIV31WkDhY6XIWXmWAc6U

refresh_token

(Required when grant_type=token)

The request_token obtained in response to grant_type=authorization_code.

Example: refresh_token=GysTpIui-oxWTTIs

client_secret

(Required when grant_type=client_credentials)

The secret of the registered application. Also referred to as APPSECRET.

Example: client_secret=57e2f75cd56346bf9d5654c3338a1250

Response

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "expires_in": 1800, // expiration in seconds from now
  "refresh_token": "GysTpIui-oxWTTIs" // ONLY returned when grant_type=authorization_code
}

Example Usage

For all examples, assume this endpoint:

https://www.arcgis.com/sharing/oauth2/token

grant_type=authorization_code

Assume these parameters:

client_id=GGjeDjEY6kKEiDmX&
grant_type=authorization_code&
redirect_uri=http://app.example.com/cb&
code=KIV31WkDhY6XIWXmWAc6U

grant_type=refresh_token

Assume these parameters:

client_id=GGjeDjEY6kKEiDmX&
grant_type=refresh_token&
refresh_token=GysTpIui-oxWTTIs

grant_type=client_credentials

Assume these parameters:

client_id=GGjeDjEY6kKEiDmX&
grant_type=client_credentials&
client_secret=57e2f75cd56346bf9d5654c3338a1250
3/3/2017