### Example OAuth 2.0 Access Token Response Source: https://developer.clarivate.com/help/api-access A successful OAuth 2.0 token request returns a JSON object containing the token type, the access token itself, and its expiration time in seconds. ```json {"token_type":"bearer","access_token": "**db530d89558843a99ec80f639434faa8**","expires_in": 3600} ``` -------------------------------- ### Request an Access Token Source: https://developer.clarivate.com/help/oauth2_client_credentials Use this POST request to obtain an access token. Replace placeholders with your specific client credentials and API identifiers. ```bash curl -X POST -d 'grant_type=client_credentials&client_id=**(your client id)**&client_secret=**(your client secret)**&scope=**(space separated list)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Handle Redirect Response Source: https://developer.clarivate.com/help/oauth2_implicit_grant The authorization server returns the access token as a fragment in the redirect URL. ```text https://app.yourcompany.com/#access_token=**(access token)**&expires_in=3600&token_type=bearer ``` -------------------------------- ### Redirect to Authorization Endpoint Source: https://developer.clarivate.com/help/oauth2_implicit_grant Construct the authorization URL to initiate the Implicit Grant flow. Ensure all mandatory parameters like client_id, redirect_uri, and response_type=token are included. ```text https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/authorize?client_id=**(your client id)**&redirect_uri=**(redirect URI of your application)**&response_type=token&scope=**(space separated list of scopes)** ``` -------------------------------- ### Authorize with PKCE Source: https://developer.clarivate.com/help/oauth2_authorization_code The authorization endpoint URL for public clients requiring code_challenge and code_challenge_method parameters. ```text https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/authorize?client_id=**(your client id)**&redirect_uri=**(redirect URI of your application)**&response_type=code&scope=**(space separated list of scopes)**&**code_challenge=****(code challenge)****&code_challenge_method=S256** ``` -------------------------------- ### Request Access Token with PKCE Source: https://developer.clarivate.com/help/oauth2_authorization_code The cURL command to exchange an authorization code for an access token using the code_verifier. ```bash curl -X POST -d 'grant_type=authorization_code&client_id=**(your client id)**&code_verifier=**(unhashed code verifier)**&code=**(authorization code)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Redirect to Authorization Server Source: https://developer.clarivate.com/help/oauth2_authorization_code Redirect your application to the Authorization Server's /authorize endpoint to initiate the OAuth2 flow. Ensure all mandatory parameters are included. ```URL https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/authorize?client_id=**(your client id)**&redirect_uri=**(redirect URI of your application)**&response_type=code&scope=**(space separated list of scopes)** ``` -------------------------------- ### Call API with API Key using curl Source: https://developer.clarivate.com/help/api-access Use this method when your subscribed API is secured by an API Key. Pass the key in the 'X-ApiKey' HTTP header. Ensure the API key is unique to your application. ```bash $ curl -H 'X-ApiKey: (your API Key)' https://api.clarivate.com/desired_api/some_endpoint ``` -------------------------------- ### Request Access Token for Confidential Clients Source: https://developer.clarivate.com/help/oauth2_password_grant Use this curl command for confidential clients that can securely store a client secret. ```bash curl -X POST -d 'grant_type=password&client_id=**(your client id)**&client_secret=**(your client secret)**&username=**(user email)**&password=**(password)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Authorization Code Callback Source: https://developer.clarivate.com/help/oauth2_authorization_code The Authorization Server redirects back to your application with the authorization code as a query parameter. This is the callback URL your application should be listening on. ```URL http://your.application.com/oauth2/callback?code=**(authorization code)** ``` -------------------------------- ### Access an API Endpoint Source: https://developer.clarivate.com/help/oauth2_client_credentials Include the access token in the Authorization header as a bearer token to authenticate API calls. ```bash curl -H 'Authorization: Bearer **(access token)**' https://api.clarivate.com/**(api endpoint)** ``` -------------------------------- ### POST /token - Refresh Access Token (Native/Mobile) Source: https://developer.clarivate.com/help/oauth2_authorization_code Native/mobile clients can use the /token endpoint to refresh their access tokens. Unlike confidential clients, they must not present their client_secret in this request. A new access token and a new refresh token are returned upon success. The refresh token used in the request becomes invalid after use, and the new refresh token must be used for subsequent refreshes. ```APIDOC ## POST /token - Refresh Access Token (Native/Mobile) ### Description This endpoint allows native and mobile applications to refresh their access tokens using a valid refresh token. Public clients (native/mobile) should not include their `client_secret` in this request. ### Method POST ### Endpoint `https://api.clarivate.com/auth/(auth method id)/api/(api id)/token` ### Parameters #### Query Parameters - **grant_type** (string) - Required - Must be set to `refresh_token`. - **client_id** (string) - Required - Your application's client ID. - **refresh_token** (string) - Required - The refresh token obtained previously. ### Request Example ```curl curl -X POST -d 'grant_type=refresh_token&client_id=**(your client id)**&refresh_token=**(refresh token)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` ### Response #### Success Response (200) Upon successful refresh, the Authorization Server returns a new access token and a new refresh token. - **access_token** (string) - The new access token. - **refresh_token** (string) - The new refresh token. The previously used refresh token is now invalid. #### Response Example ```json { "access_token": "new_access_token_string", "refresh_token": "new_refresh_token_string" } ``` ``` -------------------------------- ### Call API with OAuth 2.0 Bearer Token using curl Source: https://developer.clarivate.com/help/api-access After obtaining an access token via the Client Credentials Flow, use this command to make authenticated API calls. The token is passed in the 'Authorization' header as a Bearer token. ```bash $ curl --header 'Authorization: Bearer db530d89558843a99ec80f639434faa8' https://api.clarivate.com/desired_api/some_endpoint ``` -------------------------------- ### Access Token Response Format Source: https://developer.clarivate.com/help/oauth2_client_credentials The expected JSON response from the Authorization Server upon a successful token request. ```json { "access_token": "**(access token)**", "token_type": "bearer", "expires_in": 3600 } ``` -------------------------------- ### Refresh Access Token (Public Client) Source: https://developer.clarivate.com/help/oauth2_password_grant Public clients should use this cURL command to refresh an access token, omitting the client secret. Replace placeholders with your specific details. ```bash curl -X POST -H "Content-Type: application/json" -d '{"grant_type":"refresh_token","client_id":"**(your client id)**","refresh_token":"**(refresh token)**"}' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Refresh Access Token (Confidential Client) Source: https://developer.clarivate.com/help/oauth2_password_grant Use this cURL command to refresh an access token for confidential clients. Ensure you replace placeholders with your actual client ID, client secret, and refresh token. ```bash curl -X POST -H "Content-Type: application/json" -d '{"grant_type":"refresh_token","client_id":"**(your client id)**","client_secret":"**(your client secret)**","refresh_token":"**(refresh token)**"}' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Request Access Token for Public Clients Source: https://developer.clarivate.com/help/oauth2_password_grant Use this curl command for public clients, such as mobile applications, which must not expose a client secret. ```bash curl -X POST -d 'grant_type=password&client_id=**(your client id)**&username=**(user email)**&password**(password)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Request Access Token with Authorization Code Source: https://developer.clarivate.com/help/oauth2_authorization_code Use `curl` to POST the authorization code, client ID, and client secret to the Token endpoint to obtain an access token and refresh token. ```curl curl -X POST -d 'grant_type=authorization_code&client_id=**(your client id)**&client_secret=**(your client secret)**&code=**(authorization code)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ``` -------------------------------- ### Refresh Access Token (Native/Mobile) Source: https://developer.clarivate.com/help/oauth2_authorization_code Use this cURL command to refresh the access token for native or mobile applications. Public clients should not present their client_secret. The refresh token used in this call becomes invalid after a successful refresh. ```curl curl -X POST -d 'grant_type=refresh_token&client_id=**(your client id)**&refresh_token=**(refresh token)**' https://api.clarivate.com/auth/**(auth method id)**/api/**(api id)**/token ```