Request an OAuth 2.0 access token
Request an access token to authorize calls to the 1Password Users API for Partners (Public Preview) using the OAuth 2.0 client credentials grant.
| HTTP Method | Endpoint URL |
|---|---|
POST | <base_url>/v1beta1/users/oauth2/token |
Replace <base_url> with the regional base URL for the account you want to access:
| Region | Base URL |
|---|---|
| 1Password.com | https://api.1password.com |
| 1Password.ca | https://api.1password.ca |
| 1Password.eu | https://api.1password.eu |
Make a request to get an access token
Access tokens authorize OAuth applications to send requests to the Users API resource endpoints. After obtaining an access token, include it in the Authorization header when calling Users API endpoints.
Requests to this endpoint require the client ID and client secret credentials that were generated when you created the OAuth application. Send those credentials using HTTP Basic authentication.
Learn more about how to request an access token.
Request headers
Include the following request headers:
| Header | Value | Required | Description |
|---|---|---|---|
Authorization | Authorization: Basic <base64(client_id:client_secret)> | Yes | The HTTP Basic authentication header. Your client credentials must be sent as a base64-encoded string with this header. |
Content-Type | Content-Type: application/x-www-form-urlencoded | Yes | This indicates that the request body is URL-form-encoded. |
Request body parameters
| Name | Type | Required | Description |
|---|---|---|---|
grant_type | string | Yes | The OAuth 2.0 grant type. The value must be client_credentials. |
scope | string | No | The granted scope associated with the access token. If included, the scope value must be openid. If omitted, the authorization server uses the default scope for the OAuth client, which will always be openid. |
Example requests
Send the client ID and client secret as a base64-encoded string using HTTP Basic authentication. In a curl request, the --user "<client_ID>:<client_secret>" authorization parameter encodes and sends the Authorization header for you.
Request an access token using HTTP:
To request an access token using curl, the requested would be structured as follows:
For example:
Receive a response
A successful response returns 200 OK with a TokenResponse object.
Example response
Use the returned token to authorize subsequent requests to the Users API:
This flow doesn't support refresh tokens. When the token expires, request a new access token from the token endpoint.
Response schemas
TokenResponse object
| Field | Type | Description |
|---|---|---|
access_token | string | The opaque OAuth 2.0 access token used to authorize API requests. |
expires_in | integer | The lifetime of the access token in seconds. The default lifespan of a token is 900 seconds (15 minutes) unless it is revoked. |
scope | string | The granted scope for the access token. In the verified response example, this value will always be openid. |
token_type | string | Type of token returned by the authorization server. This value is always Bearer. |
If the request is malformed or contains invalid parameters, the server returns a standard OAuth 2.0 error response. Failed client authentication may return 401 Unauthorized.
Error responses
The endpoint may return standard OAuth 2.0 error responses when the request cannot be processed.
| Status | Description |
|---|---|
400 Bad Request | The request has a missing or malformed parameter, or an unsupported grant type. |
401 Unauthorized | The client credentials are invalid, or the client is inactive. |