Client Credentials Flow
How to use the client credentials flow with your OAuth application
The client credentials flow requires a client_id and client_secret issued to you by Carta. The client credentials flow provides access to data about your company and does not require explicit permission from a Carta user prior to accessing that data.
- Your app submits your
client_idandclient_secretto Carta's/access_token/endpoint - Carta returns an OAuth access token
- Your app uses the token to access Carta's data endpoints
1. Request an OAuth token
Your application makes a backend request for an official OAuth token. Calling this endpoint will return the OAuth token:
POST https://login.app.carta.com/o/access_token/
Request Headers
| Header Name | Value |
|---|---|
Authorization | Required. String containing the text "Basic {BASE64_ENCODED_CLIENT_INFO}" where {BASE64_ENCODED_CLIENT_INFO} is the string "{client_id}:{client_secret}" base64-encoded. |
Content-Type | Required. String containing the text "application/x-www-form-urlencoded" |
Request Body
| Parameter | Type | Description |
|---|---|---|
scope | string | Required. Scopes delimited with a space (" "). |
grant_type | string | Required. String containing the text "CLIENT_CREDENTIALS". |
Response
{
"access_token" : {ACCESS TOKEN},
"expires_in" : {Lifetime in seconds},
"scope": {SCOPES REQUESTED},
"token_type" : 'Bearer',
}
Response Body
| Parameter | Type | Description |
|---|---|---|
access_token | string | Token you use to make requests. |
expires_in | string | Seconds until access_token expires. |
scope | string | Scopes, delimited with a space (" "). |
token_type | string | String containing the text "Bearer". |
2. Use the access token to access the API
The access token allows you to make a request to the API and is valid for one hour. Important: Never store the access token within a user-agent (e.g., do not store it in a cookie).
Authorization: Bearer <ACCESS TOKEN>
GET https://api.carta.com/<api>
Revoke Token Flow
The revoke token flow lets you revoke an active access token.
Make a request to revoke a token
POST https://login.app.carta.com/o/revoke_token/
Headers
| Header Name | Value |
|---|---|
Authorization | Required. String containing the text "Basic {BASE64_ENCODED_CLIENT_INFO}" where {BASE64_ENCODED_CLIENT_INFO} is the string "{client_id}:{client_secret}" base64-encoded. |
Content-Type | Required. String containing the text "application/x-www-form-urlencoded" |
Request Body
| Parameter | Type | Description |
|---|---|---|
token | string | Required. The token you want to revoke. |
token_type_hint | string | Required. String containing the text "access_token" |
Updated 9 days ago