Resource Owner Password Credentials Flow: Obtaining of an Access Token

To obtain an access token, a client application that implements the Resource Owner Password Credentials flow connects to the token endpoint of MYOB Acumatica with the POST method. For details on the request and the response, see the following sections.

HTTP Method and URL

The client application connects to the token endpoint of MYOB Acumatica with the POST method. The client application can use one of the following options for the URL:

  • If the client application supports OpenID Connect Discovery, the client application can use the discovery endpoint address, as shown in the following code.
    https://<MYOB Acumatica instance URL>/identity/.well-known/openid-configuration
    Note:
    We recommend that the client application use the discovery endpoint address, which eliminates the need to change the application if the target endpoint address changes.
  • The client application can directly use the token endpoint address, as shown in the following code.
    https://<MYOB Acumatica instance URL>/identity/connect/token

HTTP Header

You use the following HTTP header.

Key Value
Content-Type application/x-www-form-urlencoded

Request Body

You specify the following parameters in the request body.

Parameter Description
grant_type

The type of the OAuth 2.0 flow, which must be set to password for the resource owner password credentials flow.

client_id

The client ID that was assigned to the client application during the registration of the application in MYOB Acumatica. The client ID must have the format in which the ID was generated during the registration of the application. That is, the client ID must include an auto-generated string and the ID of the tenant, such as 88358B02-A48D-A50E-F710-39C1636C30F6@MyTenant. The client application will have access to the data of the tenant specified in the client ID.

client_secret

For a client application that uses a shared secret, the value of the secret that was created for the client application during the registration of the application in MYOB Acumatica.

client_assertion_type

For a client application that uses JSON Web Token (JWT) bearer tokens, the client assertion type, which must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

client_assertion

For a client application that uses JSON Web Token (JWT) bearer tokens, a single JWT.

username

The username of an MYOB Acumatica user.

password

The password for the specified username.

scope

The access scope that is requested by the client application. The scope can be a combination of the following values, delimited by spaces:

  • api: Requests access to the REST API, screen-based SOAP API, and OData interface.

    If this scope is granted and the api:concurrent_access scope is not granted, MYOB Acumatica manages the sessions of the application through tokens. MYOB Acumatica issues the first access token along with the session ID. If the client application requests a new access token by presenting a refresh token, MYOB Acumatica reuses the session ID that was issued for the first access token issued with the refresh token. That is, the system uses a single session for each access granted to the client application. For details about the license limitations related to the number of sessions for client applications, see License Restrictions for API Users.

  • offline_access: Requests that a refresh token be granted. If a user grants this scope to the application, MYOB Acumatica issues to the client application a refresh token along with the access token. When the access token has expired, the client application can request a new access token by sending a request to the token endpoint and providing the refresh token. By default, the whole chain for the refresh token expires 30 days after the initial authentication process. However, you can change these settings in the Refresh Tokens section of the Summary area of the Connected Applications (SM303010) form. For details, see Registration of an OAuth 2.0 or OIDC Application: Sliding Expiration of Refresh Tokens.
  • api:concurrent_access: Requests permission for the concurrent use of multiple types of web service APIs. If a user grants this scope to the application, the client application can access data in MYOB Acumatica in concurrent mode. In this case, MYOB Acumatica can maintain multiple sessions for the client application, managing session IDs through cookies. We recommend that the client application request this scope only if concurrent access is required for the client application. For details about the license limitations related to the number of sessions for client applications, see License Restrictions for API Users.

Response

MYOB Acumatica verifies the provided application credentials and issues the access token, which the client application should provide with each data request to MYOB Acumatica.

A successful response includes the following parameters in the response body.
Parameter Description
token_type

The type of the access token, which is Bearer. The parameter is returned only if the api scope was granted.

access_token

The access token. The parameter is returned only if the api scope was granted.

expires_in

The period of time (in seconds) during which the access token is valid. The parameter is returned only if the api scope was granted.

scope The scope for which the access token is valid.
refresh_token

The refresh token. The parameter is returned only if the offline_access scope was granted.

Example

An example of a request is shown below. (Line breaks are for display purposes only.)

POST /identity/connect/token HTTP/1.1
Host: https://localhost/AcumaticaDB
Content-Type: application/x-www-form-urlencoded

grant_type=password
&client_id=8E0761D9-F4EC-2D4B-A60F-BCE2708C6FDD%40U100
&client_secret=O19LLT5Z0SzFbCIKLXLqQQ
&username=admin
&password=123
&scope=api%20offline_access
A successful response has the body shown in the following example.
{
    "access_token": "u39uoZj9A4fj2T80Zx0Qirznr0oqNb1qK92c48ZdxUg",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "api offline_access"
}