Tutorial: Acquiring an access token for application flow

This tutorial shows you how to acquire an access token for the OAuth scheme application flow in IBM® API Connect Version 5.0.7 and later.

Before you begin

Note: For tutorials about working with the developer toolkit in IBM API Connect Version 5.0.6 and earlier, see Developer toolkit tutorials for V5.0.6 and earlier.

This tutorial is a subsection of Tutorial: Securing an API by using OAuth 2.0 and cannot be completed independently. All prerequisites from the parent tutorial apply.

About this tutorial

You will acquire an access token for your application that will allow it to access an API. This tutorial is for the application flow scheme, which is only valid when the client is suitable for confidential approaches. You will use the application and API from the Tutorial: Securing an API by using OAuth 2.0 tutorial.

Requesting an access token

In the Developer Portal, select the GET /details operation of your Branches API.
In the Authorization section of Try this operation, in the console, record your Token URL value.
Using your command line interface, enter the following command (as one line):
```
curl -v -u Client_ID:Client_Secret -k -X POST -d {}
'Token_Endpoint_URL?grant_type=client_credentials&scope=Scope'
```
Note: On Windows systems, you must modify the curl command to place quotation marks around the curly brace characters to change them from {} to "{}".
Where:
- Client_ID is as recorded in step 6 of the Securing an API by using OAuth 2.0 tutorial.
- Client_Secret is as recorded in step 6 of the Securing an API by using OAuth 2.0 tutorial.
- Scope is view_branches, as specified for the secured API in step 8 of the Securing an API by using OAuth 2.0 tutorial.
- Token_Endpoint_URL is as recorded in step 2.
Note: If you are adapting the command for use with your command line interface, you must send application/x-www-form-urlencoded content.
For example:
```
curl -v -u 097a4830-eeb7-4f6e-ad4b-e507313a771e:lQ8hT1vA1mJ4qL0eL7nW0xL7wL5gE4hF8aL
6wH5fW0rB8rW3iD -k -X POST -d {} 'https://host.com/myorg/sb/oauth-end/oauth2/token?
grant_type=client_credentials&scope=view_branches'
```
A message is returned, of the following form:
```
{"token_type":"bearer", "access_token":"Access_Token", 
"expires_in":3600, "scope":"Scope}
```
Record the Access_Token value that is displayed in the message.
For example:
```
{ "token_type":"bearer", "access_token":"AAEFYy1hbGwiOugk49sRso0D1yKfD
i4Uny_W589WWa_Ea3eBG6ZbWwh-BT2zawnHK8sKM1EBUuAGTcyYh-n7sATyWi3-ElH8QBWqeadLE0h5c
JcsUxMHa_65VM_tI8KnnNphi7CIxx0NJRuMbCE8uOHRIPCmNon3", "expires_in":3600, "scope":"view_branches" }
```

Using the access token

This section is common to all OAuth schemes and so is addressed in the Using the access token section of the Tutorial: Securing an API by using OAuth 2.0 tutorial.