Client credentials flow

Note

Note: 1Password SaaS Manager was previously named Trelica. Some commands and integrations still use or refer to Trelica. Follow directions as written to avoid errors.

Overview

The Client Credentials Flow is the simplest authentication scheme to implement:

  1. Request an Access Token from 1Password SaaS Manager.
  2. Make API calls passing the Access Token you received.

Authentication

Note

You must pass the Client ID and Client Secret in the Authorization header using the standard HTTP Basic Authentication Scheme.

Request an access token

POST https://<app|eu>.trelica.com**/connect/token**


Requests an access token for use with future API requests.

Header
Authorization *string

As per the HTTP Basic Authentication Scheme, in other words

Client ID and Client Secret concatenated with a colon, Base64 encoded, and prepended with the string "Basic ".

Body
scopestringThe OAuth scopes for the data you want to access. The string is case-sensitive. Multiple scopes must be separated by a space character. If no value is passed then all scopes defined for the app will be requested.
grant_type *stringclient_credentials

Responses

  • HTTP 200

    JSON containing the access token and associated information

    {
        "access_token": "<TOKEN>",
        "expires_in": 3600,
        "token_type": "Bearer",
        "scope": "Users.Read"
    }
    
  • HTTP 400

    invalid_client indicates that the Client ID or Client Secret were passed incorrectly (either incorrect values, or not according to the HTTP Basic Authentication scheme). invalid_scope indicates that the scope requested was incorrect, or does not belong to the list of scopes enabled for the SaaS Manager app associated with the credentials passed.

    {
        "error": "<ERROR_CODE>"
    }
    

Example

Requesting the access token using curl

curl https://app.trelica.com/connect/token \
 --user "<CLIENT_ID>:<CLIENT_SECRET>" \
 --data "grant_type=client_credentials&scope=Users.Read"
  • 200

    {
        "access_token": "<TOKEN>",
        "expires_in": 3600,
        "token_type": "Bearer",
        "scope": "Users.Read"
    }
    
  • 400

    {
        "error": "<ERROR_CODE>"
    }
    
    Error CodeDescription
    invalid_clientThe Client ID and/or Client Secret are incorrect
    invalid_scopeThe scope requested was invalid

Making an API call with the access token you received

You can now make API calls, passing the access token you received as part of an Authorization header.

curl https://app.trelica.com/api/scim/v2/Users \
 --header "Authorization: Bearer <ACCESS_TOKEN>"

or if you are on the SaaS Manager EU hosted environment:

curl https://eu.trelica.com/api/scim/v2/Users \
 --header "Authorization: Bearer <ACCESS_TOKEN>"

By accessing or using 1Password Developer Tools, you agree to the API and SDK Terms of Service.



Published: