Client Credentials Flow for Partners

In the section Requesting an ACCESS_TOKEN below, you will find a step-by-step guide with examples of how to get a temporary token and access the API. Frequently asked questions about this process are answered in the FAQ section below.

Requesting an `ACCESS_TOKEN`

➡️ Watch out for the environment URL!

When you’re ready to release your integration, replace the domain with https://gateway.remote.com. You can find the API documentation for the /auth/oauth2/token endpoint here.

To request an ACCESS_TOKEN, you need to send a POST request to our Authorization Servers according to the following items:

Send a POST request to https://gateway.remote-sandbox.com/auth/oauth2/token.
Include the authorization header with basic authentication encoded with Base64:
- Generate the Base64 with both credentials separated by a colon (:) as shown here — <client_id>:<client_secret>
- Use the header Authorization: Basic <client_id_and_client_secret_encoded_in_base64>
Include the Content-Type: application/x-www-form-urlencoded header in the request.
In the payload, you need to fill the grant type:
- grant_type filled with client_credentials — it's a constant value

Assuming your CLIENT_ID=your_client_id and CLIENT_SECRET=your_client_secret, an example of what your request should look like is shown below:

$ echo -n "your_client_id:your_client_secret" | base64
eW91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV0

$ curl --location \
       --request POST 'https://gateway.remote-sandbox.com/auth/oauth2/token' \
       --header 'Authorization: Basic eW91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV0' \
       --header 'Content-Type: application/x-www-form-urlencoded' \
       --data-urlencode 'grant_type=client_credentials'

The response to this request should look like the following JSON:

{
  "access_token": "eyJraWQiOiIrRHF3Y1A4TU80bEMrN1NxSVQxSVcHHL6LLZH0o_xWvoUG...",
  "expires_in": 3600,
  "token_type":"Bearer"
}

This means that the access_token of the type Bearer will expire in 3600 seconds after the time of the request.

⚠️ Watch out for the token!

The access token will be valid for 3600 seconds (one hour), so we recommend that the caller fetch a new access token before the current one expires (e.g. every 55 minutes). Please note that there is no limit to the number of access tokens that can be used at the same time.

Using the `ACCESS_TOKEN`

You can use the ACCESS_TOKEN to make requests described in our API Reference documentation. All you need to do is include the ACCESS_TOKEN in the Authorization header as shown in the example below:

$ curl --location \
       --request GET 'https://gateway.remote.com/eor/v1/companies' \
       --header 'Authorization: Bearer eyJraWQiOiIrRHF3Y1A4TU80bEMrN1NxSVQxSVcHHL6LLZH0o_xWvoUG...'

Frequently Asked Questions

I don't have my `CLIENT_ID` or `CLIENT_SECRET` credentials. What should I do?

Learn how to get your credentials in the Getting Started page.

Can I use my `ACCESS_TOKEN` more than once?

Yes. You can use your ACCESS_TOKEN as many times you want. Access is valid for 3600 seconds (one hour).

How can I find out when the `ACCESS_TOKEN` will expire?

The authorization server returns the key expires_in together with the access token. So you can easily calculate the expiration time based on the time the request was performed.

Do I need to wait for my `ACCESS_TOKEN` to expire before requesting a new one?

No. You can request as many tokens as you need. However, it's important to note that caching the token may save extra requests and reduce response times.

Requesting an ACCESS_TOKEN

Using the ACCESS_TOKEN

Frequently Asked Questions

I don't have my CLIENT_ID or CLIENT_SECRET credentials. What should I do?

Can I use my ACCESS_TOKEN more than once?

How can I find out when the ACCESS_TOKEN will expire?

Do I need to wait for my ACCESS_TOKEN to expire before requesting a new one?