#
Resource owner password credentials flow
Warning
These will be the only supported endpoints after June 1st 2025. If you are using the old/legacy endpoints, we strongly recommend that you integrate with the new endpoints described here as soon as possible.
#
Introduction
If the external system or application does not require user interaction for authentication and can securely store the user's username and password, the Resource Owner Password Credentials (ROPC) Flow can be used to obtain an access token.
In this flow, the user's credentials are sent directly to the authorization server, which then issues an access token and a refresh token.
#
Obtaining an access token
To obtain a new access_token
, the following URL should be used:
Request Method: POST
Required parameters in application/x-www-form-urlencoded
:
Required headers (if not client_id
and client_secret
provided in the body):
#
Example with header option
curl https://sso.pageroonline.com/oauth/v2/oauth-token \
-d grant_type=password \
-d username=<username> \
-d password=<password> \
--user 'client_id:client_secret'
The response will contain a JSON body that looks like this:
{
"token_type": "bearer",
"access_token": "_0XBPWQQ_755ee1db-08e1-46a5-a121-538d37e5571d",
"refresh_token": "_1XBPWQQ_d88969ce-25dc-40af-a558-fc647632d610",
"scope": "",
"expires_in": 600
}
Important
The refresh token is issued with a rolling lifetime of three years, allowing it to generate new access tokens continuously within this period. After three years, user authentication will be required to obtain a new refresh token.
#
Making an API request using an access token
When making an API request, the access_token
should be provided in an Authentication header as a bearer token.
#
Example
curl https://api.pageroonline.com/someresource \
-H 'Authorization: Bearer _0XBPWQQ_755ee1db-08e1-46a5-a121-538d37e5571d'