Back to Authentication Flow

POST /auth/token

Request Information

As defined in the OAuth 2.0 protocol, the token request need to be formatted as application/x-www-form-urlencoded.

Resource Description

NameDescriptionTypeAdditional information
client_id

The unique identifier assigned to your application.

string

Required. Use HTTP Basic Authentication as stated in the Note section below.

client_secret

The password for your application.

string

Required. Use HTTP Basic Authentication as stated in the Note section below.

refresh_token

The refresh token received from the previous token request.

string

Required

grant_type

MUST be set to "refresh_token"

string

Required

scope

Defines the set of operations an access token is permitted to request.

string

Required. See Service Extensions and Scopes for further details.

Note

It is recommended to use the HTTP Basic Authentication scheme (as defined in RFC 2617) for client authentication. Only clients unable to directly utilize the HTTP Basic Authentication should send "client_id" and "client_secret" in the request body. In order for a client to use HTTP Basic Authentication, the following steps need to be performed:

  • Concatenate "client_id" and "client_secret" with a colon in between: {client_id}:{client_secret}
  • Base64-encode the concatenated string.
  • Add the following Authorization header to the request: Basic {Base64-encoded-string}

Request Format (with HTTP Basic Authentication)

POST /auth/token HTTP/1.1
Authorization: Basic bXlUZXN0QXBwOm15U2VjcmV0
Content-Type: application/x-www-form-urlencoded
refresh_token=e638d190ecec49aa80157e86fb11e4e5&grant_type=refresh_token&scope=ecom.orders

Request Format (with "client_id" and "client_secret" in request body)

POST /auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=myTestApp&client_secret=mySecret&refresh_token=e638d190ecec49aa80157e86fb11e4e5&grant_type=refresh_token&scope=ecom.orders

Response Information

As defined in the OAuth 2.0 protocol, the token response is formatted as JSON.

Resource Description

NameDescriptionTypeAdditional information
access_token

The access token used to send authenticated requests to the Unity API.

string

Required

token_type

Identifies the type of token. This field is always set to "bearer".

string

Required

expires_in

The lifetime of the access token in seconds.

number

Required

refresh_token

The refresh token used for refreshing (obtaining a new) access token.

string

Required

scope

The set of operations the issued access token is permitted to request.

string

Required

Response Format

{
    "access_token": "E0wcZcGpktnJCiB5U-ftsWQ1t0_7m6ATX_NxznQO7QvbMKhIF09XqJCWI2NVCX1yoc36OlrrxRxPzjAD5OtKz2bBCZJ9e1tuej9eSkul9SXV0U4wijzDN-l7
                     l6jt161IKxTg-O8IG0MEO5FRzSJIsfSFWnKeSLQc-X7Rj0OBKQBb91NKpvietzm3jcKIhZlalFrBT7QWahV5yVEwI7khazPm-jWnX97WVBPUE9TIZTijP0jmM-d9wvl-L
                     xHtOELpZnl7jDybSzLZJX0vkG_lBGqtKMnrwXLvEQdRsRL3Vcuo10dJ3EC9VWI0j2F-3ryhJCzBWQ",
    "token_type": "bearer",
    "expires_in": 299,
    "refresh_token": "276927f4e97a46db8b94fda24d52d93d",
    "scope": "[\"ECom.Licenses\",\"ECom.Orders\"]"
}