Authentication
This section covers Flexera One API Authentication. Authenticated requests include an API Access Token which proves the caller's identity.
Get an API Refresh Token
Your refresh token is used for generating access tokens, which must be included in requests to Flexera One APIs.
Create an API Refresh Token by logging in to Flexera One, and navigating to API Credentials.
Choose Flexera One zone in which your user account exists:
- Flexera One NAM - API Credentials
- Flexera One EU - API Credentials
- Flexera One APAC - API Credentials
Access Token Generation
The following uses cURL to generate an access token with your refresh token:
curl -s -i -X POST https://login.flexera.com/oidc/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"
Replace https://login.flexera.com/...
with
https://login.flexera.eu/...
if your user is in the EU zonehttps://login.flexera.au/...
if your user is in the APAC zone
See Flexera One Zones for more information about the various zones.
A successful response:
HTTP/2 200
date: Wed, 30 Sep 2020 00:31:33 GMT
content-type: application/json
content-length: 1015
{
"access_token": "<newly generated access token>",
"expires_in": "<seconds until the returned access token expires>",
"refresh_token": "<your refresh token>",
"token_type":"Bearer"
}
- Access tokens are valid for one hour
- After your access token expires, generate a new one using the same API call
Make an API Request
Use the generated access token to make a request to a Flexera One API.
The following example API request lists your user's active refresh tokens:
curl -s -i https://api.flexera.com/iam/v1/refresh-tokens \
-H "Authorization: Bearer <your access token>"
- A valid access token must be included in the Authorization header
- Always use
HTTPS
when calling Flexera One APIs
Security
- Store your refresh token securely, in a password manager for example, and never share it with anyone
- Any refresh token that is unused for one year will be automatically revoked for security
- If your refresh token is compromised or lost, revoke it immediately
- Never share or store your access tokens where they may be compromised