Help Center

Using the Client Credentials Flow


In order to connect an app with the BlueConic REST API v2, the application must first be authorized. You can use the Client Credentials Flow to allows an external application to programmatically gain access to the REST API without user intervention. The external application runs on behalf of an existing BlueConic user.

Application scopes

As is usually the case with OAuth 2.0, the scopes of an application are not defined in a request but are defined within BlueConic when registering the application. Application scopes together with the user permissions of the user that has been configured to run on their behalf will determine which public APIs the application can access.

Access tokens

An access token can be obtained by the application when the application has successfully authenticated itself with a client ID and client secret to access the public API. The access token can be used in requests to access the API, but it is short-lived. Once the current access token has expired, the application will have to request a new access token in the same manner.

Protocol flow 

The flow described below assumes that the application has been registered in BlueConic (see steps below). Application registration is required to be able to authenticate the application with the client ID and client secret.

  1. The application makes a token request with its client credentials for authentication.

  2. The application receives an access token if the application is successfully authenticated.

  3. The application makes a request to the public API with the access token.

  4. BlueConic validates the access token and if the access token is valid, BlueConic serves the request.



Implementation guide

Step 1. Register your application in BlueConic

To register your application, choose Settings > Access management > Applications from the BlueConic navigation bar. Click the Add application button. 

Enter your application details in the Application information section.

The client ID and client secret are issued when the application is saved. Please store them securely, because your application will need to use these credentials to authenticate itself.


Configure the Application access

In the Application access section, you configure options including scopes and the IP addresses that are allowed to access BlueConic. You need to select a user for the ‘Run as user’ field here. The application will run on the selected user’s behalf and will inherit that user’s BlueConic role permissions. Only users with the ‘Authorize applications’ permission can be selected in the ‘Run as user’ field.

Save your settings and remember also to change the status of the application to ON when you are ready to use the application, using the toggle at the top. If the application status is OFF, the client authentication will fail later on, and the access/refresh tokens also won’t work if there are any for the application.

Step 2. Request an access token

To obtain an access token, call the /rest/v2/oauth/token endpoint.

curl --location 'https://www.{your-tenant-name}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=Zl3QZFUGOKQrABbX2RoGwmgUDOiFAhLq' \
--data-urlencode 'client_secret=gmR64Qzo1mcxN5mp4IBpboP128bE9B4R'

Be sure to include the client ID and client secret in the request body for client authentication.

Set the grant_type in the request body to client_credentials.

Example token response

"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "Bearer",
"expires_in": 3600

If the request is successful, an access token is issued. The access token is short-lived and will expire in 1 hour. If the access token has expired, the application will have to perform the token request again  to obtain a new access token.

Step 3. Call the Public API with the access token

You can now access the public API with your application by adding the access token to the authorization header.

Example API request with access token

curl -X GET "https://www.{your-tenant-name}" \
-H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA"

Step 4. Revoke an access token

To revoke tokens, you have to call the /rest/v2/oauth/revoke endpoint.

Example revoke request

curl --location 'https://www.{your-tenant-name}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=2YotnFZFEjr1zCsicMWpAA' \
--data-urlencode 'token_type_hint=access_token' \
--data-urlencode 'client_id=Zl3QZFUGOKQrABbX2RoGwmgUDOiFAhLq' \
--data-urlencode 'client_secret=gmR64Qzo1mcxN5mp4IBpboP128bE9B4R'

Make sure to include the client ID and client secret in the request body for client authentication.

The token to revoke has to be added to the request body, and you can optionally add a token_type_hint to specify the token type for optimized lookup.

Learn more about using the REST API v2 with OAuth 2.0

See the article Using the BlueConic REST API for details on configuring BlueConic so your external OAuth 2.0 apps can authenticate and use the REST API. 

Was this article helpful?
0 out of 0 found this helpful