Get an Access Token for Legacy Packages

The first step in any API-based integration is getting an OAuth access token to authenticate your calls. This information applies only to API integrations in legacy packages. To get an access token for OAuth 2.0 API integrations, review Set Up Your Development Environment for Enhanced Packages.

Using the client ID and secret from the installed package, call the Auth service to obtain an OAuth access token for authenticating your API calls. This sample call demonstrates how to POST to that resource to acquire an access token.

The response contains your access token.

Specify the access token to authenticate all other REST API calls via the Authorization header field with the Bearer HTTP authorization scheme.

This example uses the same access token to authenticate with the SOAP API.

Access tokens expire one hour after they're issued. If you attempt to use an expired token, you receive a 401 Unauthorized HTTP response. If this happens, refresh your access token by calling requestToken again.

Follow these considerations when using the API.

  1. Don't request a new access token for every API call you make. Each access token is good for an hour and is reusable. Making two API calls for every one operation is inefficient and can lead to throttling.
  2. Keep your credentials secure. Never expose your client ID or secret on the client side or store them in a mobile app.