Authenticating API Requests

Table of Contents

There are two ways to authenticate Aspose for Cloud REST APIs.

  1. OAuth 2.0
  2. URL Signing

Though we are still supporting URL Signing, we recommend our users to switch to OAuth 2.0 as it is an industry standard and more convenient to use.

OAuth 2.0

The Aspose for Cloud REST API supports the OAuth 2.0 protocol using the client_credentials workflow to authorize calls.

OAuth 2.0 is an authorization framework that enables applications to obtain access to user accounts data through our REST API. OAuth provides authorization flows for web and desktop applications, and mobile devices.

The basic concept and how it works is described in the next image:


To access the REST API using OAuth2.0 protocol, you need to create an application. To register new applications, login into the Dashboard Developer site using your Aspose Account, and go to the My Apps view. Once you create a new application, we will issue a client_id (App SID**)** and **client_secret** (App Key) that you can use to authenticate your REST API calls using the OAuth2.0 protocol. (You can generate new secrets for your Apps, but make sure you update it when issuing new access tokens using those credentials.)

Get Access/Refresh Token

After you have created a new application you can obtain an access token by sending a POST request to /oauth2/token endpoint. Still, you must authenticate your access token request using Client Credentials authorization grant type flow:

POST request to: Headers: Accept: application/json Content-Type: application/x-www-form-urlencoded Body: grant_type: client_credentials client_id: APP_SID client_secret: APP_KEY

The endpoint acts as an authorization server and it verifies your credentials, if they are correct it returns a JSON ticket containing several items, through each, you can find the access_token, refresh_token, expire time of both tokens etc. The provided access_token is a Bearer Token that you can further use in the Authorization header of your request.

For each Application you create in the dashboard, you can only have one refresh_token in use for it. Any new request for refresh_token will override and revoke the previous one.

cURL Example