This is a really important message about something. It could be about anything we deem important enough to tell everyone. It might have links to places, but shouldn't have any images or non-text content. Messages shouldn't be longer than two lines on normal sized layouts.
Genesys Cloud Developer CenterGenesys Cloud Developer Center
Browser storage is disabled

Your theme selection will not be remembered when you refresh the page. Please enable browser storage in the Account Switcher above to allow this setting to be remembered.

Topics
Analytics & Data Management
Authorization
Overview
Auth API Resources
Platform API Client Authorization
Overview Additional Authorization Parameters
Authorization Guides
Digging Deeper Enable CORS Fine-Grained Access Control Grant - Authorization Code Grant - Client Credentials Grant - Implicit Grant - OAuth2 SAML2 Bearer Grant - Proof Key for Code Exchange (PKCE) How to Use Base 64 Encoding OAuth Redirect Error Codes OAuth Scopes Quick Reference
Billing
Communication & Digital Channels
GDPR & Privacy
Notifications & Alerts
Organization
Platform
Routing & Conversation Handling
Telephony
User & Agent Management
Resources
Announcements
AppFoundry
Genesys for Builders - Amazon Web Services Developer Blog Blueprints Changelog
Developer Applications
Developer Guides Videos
Home
|Authorization
|Platform API Client Authorization
Removed from toolbox

Grant - Authorization Code

The Authorization Code Grant is a two-step authentication process where a user authenticates with Genesys Cloud, then the client application is returned an authorization code. The client application uses the authorization code to make an unauthenticated API request to get an access token. The access token can then be used when making authenticated API calls. This is the most secure option and ideal for websites where API requests will be made server-side (e.g. ASP.NET or PHP) and some desktop applications where a thin client would authorize the user and pass the auth code to a back-end server to exchange for an auth token and make API requests.

Overview of the Authorization Code Grant flow

Obtain an Access Token

Follow these steps to obtain an access token using the authorization code method. For a more concise rundown, see Quick Reference.

Get the OAuth Client Information

Navigate to the OAuth admin page (Admin > Integrations > OAuth). The Client ID for each configured OAuth client will be shown in the list. Editing the OAuth client will additionally display the grant type, client secret, and the redirect URIs. Take note of these values as they will be used in the following steps. For help creating a new OAuth client, see Create an OAuth Client.

Redirect to Genesys Cloud

Redirect the user's browser to the Genesys Cloud authorization server:

Copied
https://login.mypurecloud.com/oauth/authorize
?client_id=<my-client-id>
&response_type=code
&redirect_uri=<http://example.com/oauth/callback>

Authenticate with Genesys Cloud

The user will provide their credentials to Genesys Cloud via one of the supported methods. More information on logging in: Log in, Log in using SSO

If the OAuth client has not been authorized and the user has the oauth:client:authorize permission, they will need to authorize it. More information on authorizing OAuth clients: Authorize an OAuth Client

Redirect to Application

The authorization server redirects the browser to your application at the specified redirect URI. The redirection URI includes a querystring parameter named code containing the authorization code.

http://example.com/oauth/callback?code=my-authorization-code

The authorization server may redirect the browser to your application with an error code. For more info, see OAuth Error Redirects

Exchange Authorization Code for Access Token

Make a POST request to the authorization service to exchange the authorization code for an access token. The request must contain the client ID and client secret in the base 64 encoded Authorization header. For help creating the Authorization header, see How to Use Base 64 Encoding. The authorization code obtained in the previous step must be provided as part of the form encoded body.

Copied
POST /oauth/token HTTP/1.1
Host: login.mypurecloud.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic BASE64(<client_id>:<client_secret>)

grant_type=authorization_code&code=<my-authorization-code>&redirect_uri=<http://example.com/oauth/callback>

The authorization service returns a JSON response with the token, token type, token expiry time in seconds, refresh token, and an error string if an error occurred.

Copied
{
  "access_token": "token",
  "token_type": "bearer",
  "expires_in": 86400,
  "refresh_token": "my-refresh-token",
  "error": "optional-error-message"
}

Additional Options

For additional query string parameter options, see Additional Authorization Parameters.

Use the access token

Follow these guidelines for using access tokens:

  • After authenticating, include a token with every API request.
  • Pass the token using the HTTP Authorization header with the bearer keyword, as follows:
Copied
GET /api/v2/users/me HTTP/1.1
Host: api.mypurecloud.com
Content-Type: application/json
Authorization: Bearer token

Refresh Tokens

When the access token expires, a new access token can be obtained without interacting with the user by using the refresh token. To get a new access token using this method, make a request to the authorization service to exchange the refresh token for an access token. The response will be in the same format as the original response. Applications should forget the old refresh token and remember the new one as a refresh token may only be used once and the refresh response will include a new refresh token. If this request results in an error, the application must consider the user's session invalidated and must cause the user to initiate the full authorization code flow to reauthorize the application.

Copied
POST /oauth/token HTTP/1.1
Host: login.mypurecloud.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic BASE64(<client_id>:<client_secret>)

grant_type=refresh_token&refresh_token=<my-refresh-token>

Example

For a walkthrough of the authorization code grant, see the OAuth Authorization Code Grant guide.

Genesys Cloud resourcesBeyond TrainingCommunity ForumKnowledge NetworkResource CenterStatus
App FoundryOverviewAvailable AppsContributeStyle Guide
Connect with usGithubTwitterDeveloper ForumDeveloper BlogGenesys BlogDevCast Newsletter
Copyright © 2025 Genesys. All rights reserved.
Terms of Use | Privacy Policy
On this page

Privacy Settings

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, enhanced user experience, or advertising. You may choose to consent to our use of these technologies, or manage your own preferences. Learn more here