Making Authenticated Requests

3.4

Regardless of which grant type you used, or whether you used a client secret, you now have an OAuth 2.0 Bearer Token you can use with the API.

There are two ways API servers may accept Bearer tokens. One is in the HTTP Authorization header, the other is in a post body parameter. It’s up to the service which it supports, so you will need to check the documentation to know for sure.

When passing in the access token in an HTTP header, you should make a request like the following:

POST /resource/1/update HTTP/1.1
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia"
Host: api.authorization-server.com

description=Hello+World

If the service accepts access tokens in the post body, then you can make a request like the following:

POST /resource/1/ HTTP/1.1
Host: api.authorization-server.com

access_token=RsT5OjbzRn430zqMLgV3Ia
&description=Hello+World

Keep in mind that since the OAuth 2.0 spec doesn’t actually require one option or the other, so you will have to read the API documentation for the specific service you are interacting with to know whether they support post body parameters or HTTP headers.