Most API:s require the requests to include an OAuth 2 bearer token also known as an access token.

Fetch access token

An access token can be fetch with a HTTP POST request to https://skolid.se/connect/token with the following form values:

• grant_type = client_credentials
• client_id = client id received from IST
• client_secret = client secret received from IST
• (OPTIONAL) scope = the scopes/apis that should be included in the access token. Leave empty to include all scopes allowed for the client.

Example CURL:

curl --location --request POST 'https://skolid.se/connect/token' \
--form 'grant_type=client_credentials' \
--form 'client_id=<INSERT CLIENT ID>' \
--form 'client_secret=<INSERT CLIENT SECRET>'

Example Response:

{
    "access_token": "ACCESS_TOKEN",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "skolid.profile"
}

Basic Auth can also be used for sending the client id and the client secret in the token request.

NOTE that the access token is only valid for a limited amount of time, usually an hour.

Use access token

An access token is usually included as a bearer token in the requests towards the respective API:s. This is done by using the Authorization HTTP header with the value Bearer <INSERT ACCESS TOKEN>.

Example CURL:

curl --location --request GET 'https://api.ist.com/example' \
--header 'Authorization: Bearer <ACCESS TOKEN>'