Request an OAuth 2.0 access token

Request an access token to authorize calls to the 1Password Users API for Partners (Public Preview) using the OAuth 2.0 client credentials grant.

HTTP Method	Endpoint URL
`POST`	`<base_url>/v1beta1/users/oauth2/token`

Replace <base_url> with the regional base URL for the account you want to access:

Region	Base URL
1Password.com	`https://api.1password.com`
1Password.ca	`https://api.1password.ca`
1Password.eu	`https://api.1password.eu`

Make a request to get an access token

Access tokens authorize OAuth applications to send requests to the Users API resource endpoints. After obtaining an access token, include it in the Authorization header when calling Users API endpoints. Requests to this endpoint require the client ID and client secret credentials that were generated when you created the OAuth application. Send those credentials using HTTP Basic authentication. Learn more about how to request an access token.

Request headers

Include the following request headers:

Header	Value	Required	Description
`Authorization`	`Authorization: Basic <base64(client_id:client_secret)>`	Yes	The HTTP Basic authentication header. Your client credentials must be sent as a base64-encoded string with this header.
`Content-Type`	`Content-Type: application/x-www-form-urlencoded`	Yes	This indicates that the request body is URL-form-encoded.

Request body parameters

Name	Type	Required	Description
`grant_type`	string	Yes	The OAuth 2.0 grant type. The value must be `client_credentials`.
`scope`	string	No	The granted scope associated with the access token. If included, the scope value must be `openid`. If omitted, the authorization server uses the default scope for the OAuth client, which will always be `openid`.

Example requests

Send the client ID and client secret as a base64-encoded string using HTTP Basic authentication. In a curl request, the --user "<client_ID>:<client_secret>" authorization parameter encodes and sends the Authorization header for you. Request an access token using HTTP:

POST /v1beta1/users/oauth2/token HTTP/1.1
Host: api.1password.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzNDVhNjctYmNkZS04OWYwLTEyM2EtNDViY2RlZjY3OGdhOmhJaktMbTFOb1AuUX5yc3RVVndYWVphYmNE

grant_type=client_credentials&scope=openid

To request an access token using curl, the requested would be structured as follows:

curl --request POST \
  --url "<base_url>/v1beta1/users/oauth2/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --user "<client_ID>:<client_secret>" \
  --data "grant_type=client_credentials&scope=openid"

For example:

curl -X POST https://api.1password.com/v1beta1/users/oauth2/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--user "12345a67-bcde-89f0-123a-45bcdef678ga:hIjKLm1NoP.Q~rstUVwXYZabcD" \
--data "grant_type=client_credentials&scope=openid"

Receive a response

A successful response returns 200 OK with a TokenResponse object.

Example response

{
  "access_token": "ory_at_...",
  "expires_in": 900,
  "scope": "openid",
  "token_type": "bearer"
}

Use the returned token to authorize subsequent requests to the Users API:

Authorization: Bearer <YOUR_ACCESS_TOKEN>

This flow doesn’t support refresh tokens. When the token expires, request a new access token from the token endpoint.

Response schemas

TokenResponse object

Field	Type	Description
`access_token`	string	The opaque OAuth 2.0 access token used to authorize API requests.
`expires_in`	integer	The lifetime of the access token in seconds. The default lifespan of a token is 900 seconds (15 minutes) unless it is revoked.
`scope`	string	The granted scope for the access token. In the verified response example, this value will always be `openid`.
`token_type`	string	Type of token returned by the authorization server. This value is always `Bearer`.

If the request is malformed or contains invalid parameters, the server returns a standard OAuth 2.0 error response. Failed client authentication may return 401 Unauthorized.

Error responses

The endpoint may return standard OAuth 2.0 error responses when the request cannot be processed.

Status	Description
`400 Bad Request`	The request has a missing or malformed parameter, or an unsupported grant type.
`401 Unauthorized`	The client credentials are invalid, or the client is inactive.

​Make a request to get an access token

​Request headers

​Request body parameters

​Example requests

​Receive a response

​Example response

​Response schemas

​TokenResponse object

​Error responses