This section explains how to authenticate to the API.

The Thredd Cards API uses OAuth 2 for authentication between Thredd and Clients. This means that to perform an action on the Cards API, you need to supply a valid OAuth Token in the header of each API request. For more information about the headers in the Thredd Cards API, see Headers.

Thredd uses the Client Credentials OAuth flow to generate a valid OAuth token. For more information about granting OAuth Client Credentials, see the website.

The following OAuth terms are used in this section:

  • User — this is the resource owner (in this case >) who authorise an application to access their account. Access is limited to the scope of the authorisation granted.
  • Client — this is the application requesting access to the user’s account. The application must be authorised by the user, and the authorisation must be validated by the API.
  • Resource/Authorisation Server — this is the API. The Resource server hosts the user’s accounts. The Authorisation server verifies the identity of the users and grants access tokens to the application.

Generating an OAuth Token and Accessing the > API

To interface and authenticate with the Thredd Cards API, both a ClientId and ClientSecret are required.
To obtain these, you must register with Thredd. Please contact your Thredd Implementation Manager.
When registered, you will receive your Program Manager ID and user credentials.

Next, you use these credentials to generate an access token using our Retrieve access token endpoint.

After receiving a valid OAuth2 token, use this in the Authorisation header on all subsequent API requests.


API Explorer

See the Retrieve access token endpoint.


Expired Tokens

The Client Credentials flow does not allow a user to refresh an OAuth Token. If your token expires, you will need to generate a new OAuth Token.