REST API Using oAuth For Authentication

Last published at: July 18th, 2023

FlowWright REST API traditionally was secured using basic authentication with a username and password. With FlowWright, we now support OAuth-based authentication. OAuth is secure - and popular with web application developers. Many applications (such as Facebook, LinkedIn, Twitter, HubSpot, SugarCRM, SalesForce) support OAuth authentication.

What is OAuth?

OAuth is an open standard for access delegation and is commonly used as a way for Internet users to grant websites or applications access to their information without giving out passwords.

How does FlowWright OAuth work?

The below diagram shows the initial token request using the FlowWright REST APIs.

An HTTP POST request is sent to the following URL:


With the POST request, the following fields and values are sent through the form body:

  • username – FlowWright user name
  • password – FlowWright user password

FlowWright REST API will authenticate the user with FlowWright security, if the authentication is successful, then a response is sent back in JSON format. The response will look as follows:

FlowWright OAuth token request

The JSON response contains the following information:

  • access_token – a token for making REST API calls
  • token_type – bearer type token
  • expires_in – expiration in seconds
  • refresh_token – refresh token for requesting tokens in the future
  • refreshTokenExpire – expiration date/time of refresh token in UTC
  • .issued – issued date/time of token in UTC
  • .expires – expiration date/time of token in UTC

Using the “access token” within the above response, calls to the REST API can be made.  Call the REST API call just as before but, instead of passing user name and password for authentication, pass the token as “Bearer” for authentication. Below is a graphic that illustrates the request using the POSTMAN tool:

FlowWright OAuth using access token to make REST API calls

Once the request is sent, FlowWright will validate the token, if successful, will call the intended REST API call and return the result for the call in JSON format. In the above case, we called the “getUsers” REST API call, the following JSON response is returned.

JSON response from REST API call

By default, “access token” has an expiration of 10 minutes: REST API will return the result “token expired” if used after expiry. To avoid this, you must use “refresh token” to request a new access token. Below is the process:

FlowWright REST API OAuth refresh token request

To request a new token, an HTTP POST request is sent to the same token URL:


The following information is sent within the request body:

  • grant_type – set the grant type to “refresh_token”
  • refresh_token – pass the refresh token received from the first token call

FlowWright's REST API will validate the refresh token, and, if successful, it will return a JSON response with a similar response as before:

Now the new “access token” can be used for making REST API calls to FlowWright.  By default, the refresh token is valid for 30 days.  All dates/times used for tokens are in UTC format.  The default expiration values for an access token and refresh token can be changed within the “Web.config” file of the FlowWright REST API.

Because most REST APIs are stateless, each call must perform authentication, validation.  With v9.7 we have enhanced the REST API to be "stateful" so as to maintain user sessions.  With these enhancements to the REST API, we can achieve higher throughput and performance, and shorter execution times, and more efficient development.

These generated OAuth tokens can be used in other parts of the FlowWright application for authentication, too, especially in the Microservices and Configuration Manager user interfaces.