Grant Type Password

Your application's code needs to:

Store the returned access_token to use to authenticate all other endpoint requests until the token expires. (3600 seconds)
Store the returned refresh_token for the purpose of getting a new access_token after the access token expires.
Use the access token for all non-authentication related requests as specified by documentation for endpoints you are using. Access tokens expire in 3600 seconds.
To refresh a session, use the refresh token from the immediate prior session in a refresh request. When the refresh request is granted, the response contains another access token/refresh token pair.

The refresh token does not expire until a new initial access token request (a password or code grant type) or a refresh request occurs.

Password or Code grant types are limited to 5 authentication attempts per hour. Using the refresh token workflow avoids unneeded access token requests and prevents your application from reaching this limit.

Parameters

Name	Parameter Type	Allow Multiple	Required/ Optional	Data Type	Description
grant_type	x-www-form-urlencoded	False	Required	string	The value must be 'password'.
username	x-www-form-urlencoded	False	Required	string	The email address of a user in the Act-On account you are trying to access.
password	x-www-form-urlencoded	False	Required	string	The password associated with the username.
client_id	x-www-form-urlencoded	False	Required	string	The Client ID you received in your welcome email.
client_secret	x-www-form-urlencoded	False	Required	string	The Client Secret you received in your welcome email.

Unlike most other endpoints, the URL for the authentication request does not have /api/1/ in the URL path. The token endpoint URL is just: https://restapi.actonsoftware.com/token.

Request

POST /token HTTP/1.1
Host: restapi.actonsoftware.com
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=password&amp;username=email%40company.com&amp;password=&lt;your_password&gt;&amp;client_id=&lt;your_clientid&gt;&amp;client_secret=&lt;
your_client_secret

POST /token HTTP/1.1

Host: restapi.actonsoftware.com

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

grant_type=password&username=email%40company.com&password=<your_password>&client_id=<your_clientid>&client_secret=<

your_client_secret

Response

 {
 "token_type":"bearer",
 "expires_in":3600,
 "refresh_token":"6d84dba1e8b55d795983af10abffffff"
 ,"access_token":"ec96c219f477cb695644498ffffff"
 }

{

"token_type":"bearer",

"expires_in":3600,

"refresh_token":"6d84dba1e8b55d795983af10abffffff"

,"access_token":"ec96c219f477cb695644498ffffff"

}

Code Examples

cURL Request

NOTE: replace the placeholder text in brackets with your client id and password.

curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&amp;username=%40url.com&amp;password=welcome2here&amp;client_id=&lt;your_clientid&gt;&amp;client_secret=your_client_secret' https://restapi.actonsoftware.com/token

1	curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&username=%40url.com&password=welcome2here&client_id=<your_clientid>&client_secret=your_client_secret' https://restapi.actonsoftware.com/token

Refreshing Authentication

After the initial authentication, you’ll need to use the Refresh grant type to get a new access token before the current one’s hour-long lifespan expires.