#
Resource owner password credentials flow
Warning
These will be the only supported endpoints after June 01st, 2025. If you are using the old/legacy endpoints, we strongly recommend that you integrate with the new endpoints described here as soon as possible.
Important
It is critical to securely manage sensitive credentials, including the username, password, client ID, and client secret. Exposure of these credentials can lead to unauthorized access and security breaches. Never hardcode the credentials in your application code, configuration files, or version control systems. Failing to follow these security best practices can compromise system integrity and user data. We strongly recommend implementing proper secret management strategies.
#
Introduction
If the external system or application does not require user interaction for authentication and can securely store the user's username and password, the Resource Owner Password Credentials (ROPC) Flow can be used to obtain an access token.
In this flow, the user's credentials are sent directly to the authorization server, which then issues an access token and a refresh token.
#
Obtaining an access token
To obtain a new access_token
, the following URL should be used:
Request Method: POST
Required parameters in application/x-www-form-urlencoded
:
Required headers (if not client_id
and client_secret
provided in the body):
#
Example with header option
curl https://sso.pageroonline.com/oauth/v2/oauth-token \
-d grant_type=password \
-d username=<username> \
-d password=<password> \
--user 'client_id:client_secret'
The response will contain a JSON body that looks like this:
{
"token_type": "bearer",
"access_token": "_0XBPWQQ_755ee1db-08e1-46a5-a121-538d37e5571d",
"refresh_token": "_1XBPWQQ_d88969ce-25dc-40af-a558-fc647632d610",
"scope": "",
"expires_in": 600
}
Important
The refresh token is issued with a rolling lifetime of three years, allowing it to generate new access tokens continuously within this period. After three years, user authentication will be required to obtain a new refresh token.
#
Making an API request using an access token
When making an API request, the access_token
should be provided in an Authentication header as a bearer token.
#
Example
curl https://api.pageroonline.com/someresource \
-H 'Authorization: Bearer _0XBPWQQ_755ee1db-08e1-46a5-a121-538d37e5571d'