Client Credentials Flow

📘

OAuth Application Required

In order to authorize with OAuth, you are required to create a Universe application.

Applications can be created here: https://www.universe.com/oauth/applications

All authorized requests in our API require you to implement this strategy or the auth code grant flow. This flow, the client credentials flow, will only allow you to retrieve Universe user data for the owner of your OAuth application. If you are developing an integration for Universe users as a whole, please use the auth code grant flow.

Before proceeding with this guide, please make sure that you have created a Universe OAuth Application. Additionally, please familiarize yourself with OAuth 2.0 concepts generally: http://oauthbible.com

Step 1. Exchange the Your Client Credentials for an Access Token

All registered Universe OAuth applications belong to individual Universe users (referred to as "owner"). In just one step, you can exchange an application's client_id and client_secret for an access_token, and with that access_token retrieve data as the application's owner.

curl --request POST \
  --url 'https://www.universe.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"client_credentials","client_id": "CLIENT_ID","client_secret": "CLIENT_SECRET"}'

Where:

  • grant_type: This must be client_credentials.
  • client_id: Your application's Client ID.
  • client_secret: Your application's Client Secret.

The response contains the access_token, refresh_token, expires_in, token_type, scope, and created_at values, for example:

{
  "access_token": "eyJz93a...k4laUWw",
  "refresh_token": "GEbRxBN...edjnXbL",
  "token_type": "Bearer",
  "expires_in": 2592000,
  "scope": "public",
  "created_at": 1494964915
}

Step 2. Using the Access Token

Once the access_token has been obtained it can be used to make calls to the API by passing it as a Bearer Token in the Authorization header of the HTTP request:

curl --request GET \
  --url https://api.universe.com/some_endpoint \
  --header 'authorization: Bearer ACCESS_TOKEN'