To send any API request on behalf of an existing User successfully, the header must include an access_token. This section outlines the endpoints and authorization process for a User and your Client application.

The access_token is returned to your Client when you submit a temporary authorization_code to our OAuth server. It should then be included in the Authorization Header (Type: Bearer Token) for requests to the API.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authorization will also fail.

The basic sequence for generating an access_token:

  1. Create a User (if the User doesn't already exist)
  2. Present the User with Astra's OAuth module, which returns an authorization_code
  3. Exchange the authorization_code for an access_token using the token endpoint
  4. Use the access_token in your Authorization Header for API requests for that User


If you are using Astra's OAuth module, the redirect URL will include the authorization_code. In the Sandbox Environment, you can copy the authorization_code from the module web page directly to use with API requests.