Grant access using password

post/oauth/token
Internal-Use Only

Obtains an access token on behalf of an end user, using that user's authenticating credentials (such as username and password) along with the client identifier and the associated secret that have been registered with the SAS environment. The user credentials are validated. If they are valid, the SAS Logon API returns an access token. Obtaining access tokens on behalf of an end user is required for all SAS Viya APIs that support user and group authorization rules.

Request Samples

1

Response Samples

1{
2 "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIzNTM4ZTQxNTEyNDY0NmU3YTJiZjA1NDBlNTM3MjNlNSIsInN1YiI6IjAzMzNiODlkLTc5MjUtNDllZS04N2Y3LTQ4YzY1Mzg2N2RlZCIsInNjb3BlIjpbIm9wZW5pZCIsImdyb3VwMSIsImdyb3VwMiIsImdyb3VwMyJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMDMzM2I4OWQtNzkyNS00OWVlLTg3ZjctNDhjNjUzODY3ZGVkIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoiYm9iIiwiZW1haWwiOiJub25lIiwiYXV0aF90aW1lIjoxNTIyMTY3MTY3LCJyZXZfc2lnIjoiOWEzYzI0ZWQiLCJpYXQiOjE1MjIxNjcxNjcsImV4cCI6MTUyMjIxMDM2NywiaXNzIjoiaHR0cHM6Ly9leGFtcGxlLnNhcy5jb20vU0FTTG9nb24vb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.EOpYXf5acyiTn1wY5Tjr9vdu5Ez_UyPnYriMPlR9DkDTPtxxphdCiQweMEx8bjevWmFhDV-m4MDFm9F551F36cyhkpaXq39Xu6My_iDdc-xdAMvm04PHhz6p2NDSjCrmg9L5remIK-WQDyN3klkKNQvuN2V8jklVoXVMj_bBgpg",
3 "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIzNTM4ZTQxNTEyNDY0NmU3YTJiZjA1NDBlNTM3MjNlNSIsInN1YiI6IjAzMzNiODlkLTc5MjUtNDllZS04N2Y3LTQ4YzY1Mzg2N2RlZCIsInNjb3BlIjpbIm9wZW5pZCIsImdyb3VwMSIsImdyb3VwMiIsImdyb3VwMyJdLCJjbGllbnRfaWQiOiJhcHAiLCJjaWQiOiJhcHAiLCJhenAiOiJhcHAiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMDMzM2I4OWQtNzkyNS00OWVlLTg3ZjctNDhjNjUzODY3ZGVkIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoiYm9iIiwiZW1haWwiOiJub25lIiwiYXV0aF90aW1lIjoxNTIyMTY3MTY3LCJyZXZfc2lnIjoiOWEzYzI0ZWQiLCJpYXQiOjE1MjIxNjcxNjcsImV4cCI6MTUyMjIxMDM2NywiaXNzIjoiaHR0cHM6Ly9leGFtcGxlLnNhcy5jb20vU0FTTG9nb24vb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiYXBwIiwib3BlbmlkIl19.EOpYXf5acyiTn1wY5Tjr9vdu5Ez_UyPnYriMPlR9DkDTPtxxphdCiQweMEx8bjevWmFhDV-m4MDFm9F551F36cyhkpaXq39Xu6My_iDdc-xdAMvm04PHhz6p2NDSjCrmg9L5remIK-WQDyN3klkKNQvuN2V8jklVoXVMj_bBgpg",
4 "refresh_token": "dfd22292eaf447c4af633ff589f8c899-r",
5 "token_type": "bearer",
6 "expires_in": 43199,
7 "scope": "openid group1 group2 group3",
8 "refresh_expires_in": 1209599,
9 "refresh_revocable": true,
10 "revocable": false,
11 "jti": "322fdb2902c84a51a667b90b99fa1f06"
12}

Header Parameters

NameTypeRequiredDescription
Authorization
string
false

The basic authorization header containing the registered OAuth client identifier and secret. Optional if this information is passed as part of the form data.

Request Body

NameTypeRequiredDescription
client_id
string
false

The client identifier for the registered OAuth client and recipient of the token. Optional if this information is passed as part of the Authorization header.

client_secret
string
false

The client secret for the registered OAuth client. Optional if this information is passed as part of the Authorization header.

grant_type
string
true

The type of authentication used to obtain the token. In this case, 'password'.

response_type
string
false

The type of token that should be issued.

username
string
true

The username of the end user for whom the client is obtaining an access token on behalf of.

password
string
true

The end user's password.

scope
string
false

The space-limited list of scopes. Usually omitted, defaults to the scope registered to the client.

Responses

StatusMeaningDescription
200OKThe request succeeded.Schema
400Bad RequestThe request was invalid.