Password

Trusted API clients that can prompt users for their AppDirect credentials can use the Password grant type to exchange a username and password for an access token.  Similar to the Authorization Code grant type, this should only be used by API client that are able to keep the client secret secure.  

The following diagram illustrates the this flow:

1. The application initiates authorization by sending a POST request to the token endpoint to exchange the user's password for an access token and optionally the refresh token. This request must be authenticated (basic authentication) using the client ID and secret.

   Sample request: 

   curl -X POST -u appdirect-49:9vY0s4yb2pbnP7Vz -H 'Content-Type: application/x-www-form-urlencoded' "https://marketplace.example.com/oauth2/token" -d "grant_type=password&username=tom.jones%40example.com&password=origo2017&scope=ROLE_USER%20ROLE_BILLING_ADMIN"

   Parameter	Description
   grant_type	Must be password, which indicates that this is the Resource Owner Password Credentials grant type.
   username	Username of the marketplace user your application is requesting the access token from.
   password	Marketplace password for the user.
   scope	A space-separated list of requested scopes.

2. The access token and, optionally, the refresh token are returned.  

   Sample response:

   {
       "access_token": "7iVGxe84f1ew6QENpCD3",
       "refresh_token": "qsdfbasfsa1bjbfdjbfs",
       "token_type": "bearer",
       "expires_in": 43199,
       "scope": "ROLE_USER ROLE_BILLING_ADMIN"
   }

3. Call an AppDirect API and include the access token in the Authorization header as a bearer token.

   Sample request: ​

   curl -H 'Authorization: Bearer 7iVGxe84f1ew6QENpCD3' "http://marketplace.example.com/api/account/v2/subscriptions/6c31d072-8480-11e3-b2f4-22000ae812a4/assignments"

4. Receive the API response.