Username/Password Grant Type

The username/password grant type is only allowed for private client applications. In this authentication/authorization flow, the end user provides the client application directly with their username and password. The client application then exchanges the username and password to obtain an Access Token. The username and password should not be stored by the client application - you can store the Access Token instead. Axosoft Installed clients that use Windows Integrated Authentication, you would need to use Authorization Code grant type.

To obtain the Access Token, you can make a GET request to <BaseAxosoftURL>/api/oauth2/token with the following parameters in the URL query:

Parameter Description
grant_type The type of grant you are providing. For the username/password grant type, it must have the value password. Required.
username The Axosoft Suite Login ID of the user. Required.
password The Axosoft Suite Password of the user. Required.
client_id The Client ID issued to you through the Axosoft Suite. Required.
client_secret The Client Secret issued to you through the Axosoft Suite. Required.
scope A space-separated list of scopes your app is requesting. Valid scopes are read (which allows your app to read existing Axosoft data), and write (which allows it to add and update Axosoft data). If you need both, supply read write. If omitted, defaults to read.
Parameter Description
BODY DATA A JSON object with the following properties:

access_token: (string) The Access Token which can be used to access protected resources via the API.

token_type: (string) The type of the Access Token. You are receiving a bearer token, so this will contain the value "bearer".

data: (object) An object containing a few properties of the user associated with the Access Token, such as id, first_name, last_name, and email.

For example, you might receive the following data in the response body after a successful request:

{
    "access_token" : "10101010-1010-1010-1010-101010101010",
    "token_type" : "bearer",
    "data" : {
        "id" : 7,
        "first_name" : "Cathy",
        "last_name" : "O'Reilly (Dev)",
        "email" : "Cathy.Oreilly@mycompany.com"
    }
}

If the request fails, the response will have a status of 400 Bad Request and will have contents as follows:

Parameter Description
BODY DATA A JSON object with the following properties:

error: (string) An error code.

error_description: (string) A more detailed description of the error intended for the developer of your app.

For example, you might receive the following data in the response body after a failed request:

{
    "error" : "invalid_grant",
    "error_description" : "Invalid username or password"
}

Access Axosoft Data

Once you obtain a valid Access Token, you can access Axosoft data.