Authentication
This section covers Flexera One API Authentication. Authenticated requests include an API Access Token which proves the caller's identity.
In the following examples, replace https://login.flexera.com/... with
https://login.flexera.eu/...if your user is in the EU zonehttps://login.flexera.au/...if your user is in the APAC zone
See Flexera One Zones for more information about the various zones.
User API Authentication
A user must create a refresh token to access Flexera One's APIs. The refresh token is used to generate access tokens, which must be included in requests to Flexera One APIs.
Create an API Refresh Token by logging in to Flexera One, and navigating to API Credentials. Choose Flexera One zone in which your user account exists:
- Flexera One NAM - API Credentials
- Flexera One EU - API Credentials
- Flexera One APAC - API Credentials
Access Token Generation
The following uses cURL to generate an access token with your refresh token:
curl -s -i -X POST https://login.flexera.com/oidc/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"
Note: login.flexera.* certificates require ciphers which are not supported by Windows Server 2012 R2.
A successful response:
HTTP/2 200
date: Wed, 30 Sep 2020 00:31:33 GMT
content-type: application/json
content-length: 1015
{
"access_token": "<newly generated access token>",
"expires_in": "<seconds until the returned access token expires>",
"refresh_token": "<your refresh token>",
"token_type":"Bearer"
}
- Access tokens are valid for one hour
- After your access token expires, generate a new one using the same API call
Service Account API Authentication
For an external application to authenticate as a service account, the service account and service account client resources must already have been created. The client is the service account's credential, and consists of a clientId and clientSecret.
Access Token Generation
curl -s -i -X POST https://login.flexera.com/oidc/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=<client Id>&client_secret=<client secret>"
Note: login.flexera.* certificates require ciphers which are not supported by Windows Server 2012 R2.
A successful response:
HTTP/2 200
date: Wed, 30 Sep 2020 00:31:33 GMT
content-type: application/json
content-length: 1015
{
"access_token": "<newly generated access token>",
"expires_in": "<seconds until the returned access token expires>",
"token_type":"Bearer"
}
- Access tokens are valid for one hour
- After your access token expires, generate a new one using the same API call
Make an API Request
An access token is required to make an authenticated request to a Flexera One API. Regardless of whether the access token was generated by a user or a service account, the access token is used in the same way.
The following example API request retrieves basic information about an organization:
curl -s -i https://api.flexera.com/iam/v1/orgs/100 \
-H "Authorization: Bearer <access token>"
- A valid access token must be included in the Authorization header
- Always use
HTTPSwhen calling Flexera One's APIs
Security
- Store credentials securely, in a password manager for example, and never share it with anyone
- Any refresh token that is unused for one year will be automatically revoked for security
- If any credentials is compromised or lost, revoke/delete it immediately
- Never share or store your access tokens where they may be compromised