Resource Owner Password Credentials Flow: Obtaining of an Access Token
To obtain an access token, a client application that implements the Resource Owner Password
Credentials flow connects to the token endpoint of MYOB Acumatica
with the POST
method. For details on the request and the response, see the
following sections.
HTTP Method and URL
The client application connects to the token endpoint of MYOB Acumatica
with the POST
method. The client application can use one of the following
options for the URL:
- If the client application supports OpenID Connect
Discovery, the client application can use the discovery endpoint address, as shown in
the following code.
https://<MYOB Acumatica instance URL>/identity/.well-known/openid-configuration
Note:We recommend that the client application use the discovery endpoint address, which eliminates the need to change the application if the target endpoint address changes. - The client application can directly use the token
endpoint address, as shown in the following code.
https://<MYOB Acumatica instance URL>/identity/connect/token
HTTP Header
You use the following HTTP header.
Key | Value |
---|---|
Content-Type |
application/x-www-form-urlencoded |
Request Body
You specify the following parameters in the request body.
Parameter | Description |
---|---|
grant_type |
The type of the OAuth 2.0 flow, which must be set to |
client_id |
The client ID that was assigned to the client application during the registration of the application in MYOB Acumatica. The client ID must have the format in which the ID was generated during the registration of the application. That is, the client ID must include an auto-generated string and the ID of the tenant, such as 88358B02-A48D-A50E-F710-39C1636C30F6@MyTenant. The client application will have access to the data of the tenant specified in the client ID. |
client_secret |
For a client application that uses a shared secret, the value of the secret that was created for the client application during the registration of the application in MYOB Acumatica. |
client_assertion_type |
For a client application that uses JSON Web Token (JWT) bearer tokens, the client assertion type, which must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. |
client_assertion |
For a client application that uses JSON Web Token (JWT) bearer tokens, a single JWT. |
username |
The username of an MYOB Acumatica user. |
password |
The password for the specified username. |
scope |
The access scope that is requested by the client application. The scope can be a combination of the following values, delimited by spaces:
|
Response
MYOB Acumatica verifies the provided application credentials and issues the access token, which the client application should provide with each data request to MYOB Acumatica.
Parameter | Description |
---|---|
token_type |
The type of the access token, which is Bearer. The parameter is returned only if the api scope was granted. |
access_token |
The access token. The parameter is returned only if the api scope was granted. |
expires_in |
The period of time (in seconds) during which the access token is valid. The parameter is returned only if the api scope was granted. |
scope | The scope for which the access token is valid. |
refresh_token |
The refresh token. The parameter is returned only if the offline_access scope was granted. |
Example
An example of a request is shown below. (Line breaks are for display purposes only.)
POST /identity/connect/token HTTP/1.1
Host: https://localhost/AcumaticaDB
Content-Type: application/x-www-form-urlencoded
grant_type=password
&client_id=8E0761D9-F4EC-2D4B-A60F-BCE2708C6FDD%40U100
&client_secret=O19LLT5Z0SzFbCIKLXLqQQ
&username=admin
&password=123
&scope=api%20offline_access
A successful response has the body shown in the
following example.{
"access_token": "u39uoZj9A4fj2T80Zx0Qirznr0oqNb1qK92c48ZdxUg",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "api offline_access"
}