Authentication

This section covers Flexera One API Authentication. Authenticated requests include an API Access Token which proves the caller's identity.

Get an API Refresh Token

Your refresh token is used for generating access tokens, which must be included in requests to Flexera One APIs.

Create an API Refresh Token by logging in to Flexera One, and navigating to API Credentials.

Choose Flexera One zone in which your user account exists:

• Flexera One NAM - API Credentials
• Flexera One EU - API Credentials
• Flexera One APAC - API Credentials

Access Token Generation

The following uses cURL to generate an access token with your refresh token:

curl -s -i -X POST https://login.flexera.com/oidc/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&refresh_token=<refresh token>"

Replace https://login.flexera.com/... with

• https://login.flexera.eu/... if your user is in the EU zone
• https://login.flexera.au/... if your user is in the APAC zone

See Flexera One Zones for more information about the various zones.

A successful response:

HTTP/2 200
date: Wed, 30 Sep 2020 00:31:33 GMT
content-type: application/json
content-length: 1015

{
   "access_token": "<newly generated access token>",
   "expires_in": "<seconds until the returned access token expires>",
   "refresh_token": "<your refresh token>",
   "token_type":"Bearer"
}

• Access tokens are valid for one hour
• After your access token expires, generate a new one using the same API call

Make an API Request

Use the generated access token to make a request to a Flexera One API.

The following example API request lists your user's active refresh tokens:

curl -s -i https://api.flexera.com/iam/v1/refresh-tokens \
  -H "Authorization: Bearer <your access token>"

• A valid access token must be included in the Authorization header
• Always use HTTPS when calling Flexera One APIs

Security

• Store your refresh token securely, in a password manager for example, and never share it with anyone
• Any refresh token that is unused for one year will be automatically revoked for security
• If your refresh token is compromised or lost, revoke it immediately
• Never share or store your access tokens where they may be compromised