2 Legged OAuth2

Before accessing the resources in the Ed-Fi REST API your application will need to obtain an access token from the API. This access token is validated on each call you make to the API as a representation of your application key and secret.

Step 1 - Get an authorization code

POST the application key to /oauth/authorize as client_id and set authorization_code to "code". You can also execute a GET for this operation, although a POST is recommended. The example below uses a GET.

The response will have a "Code" in the body which represents the authorization code. The image below shows an example response.

The authorization code that is returned expires 10 minutes after being issued.

Step 2 - Obtain an access token

POST the client id, secret, and authorization code to /oauth/token as Client_id, Client_secret, and Code respectively. The Grant_type will be set to authorization_code

The image below shows an example request.

The image below shows an example response with an access token.

The access token that is returned expires on a 30 minute sliding expiration. The sliding expiration window is extended on every operation with the Ed-Fi REST API.

Step 3 - Use the access token

On subsequent API requests, include the access token in an HTTP Authorization header as "Bearer XYZ" where "XYZ" is the access token.  As an example, the token from step 2 would be included in the HTTP header as "Authorization:Bearer 8b2ed0872a0a46378dcbc4084a7fa2a6".




Have more questions? Submit a request