Resource Owner Flow

Getting a token to access a resource you own is simple. See below for details and examples. Remember you can find all your own client Id's and secrets in your Welcome email.

For this flow we recommend you simply create a new token for each use of the API. You can however use Refresh Tokens, which are now covered below.

If you're an enterprise customer replace (enterprise_pin)/ with your enterprise PIN. This can be found in management portal page. If you're not an enterprise user, please do not include (enterprise-pin)/ before the username.

Request

POST https://identity.qflowhub.io/core/connect/token

Content-type: application/x-www-form-urlencoded

client_id=acme_resowner&client_secret=cb818203-d58c-4bf7-a66a-43522716cf69&username={enterprise_pin}/joe.bloggs@acme.com&password=secret1234&scope=qflowapi+openid+offline_access&grant_type=password

Content-type: application/x-www-form-urlencoded

Response

{ 
   "access_token" : "c6102720a52dbd822e24d567b002160c", 
   "expires_in" : 3600, 
   "token_type" : "Bearer", 
   "refresh_token" : "2573de01ab1b8a1d0bb3b1ac4dd0b3ca"
}

PHP

$url = 'https://identity.qflowhub.io/core/connect/token'; 
$clientId = 'acme_resowner'; 
$clientSecret = '96184159-60d4-4ad4-a11e-0ff3ddcc6678'; 
$username = '{enterprise_pin}/joe.bloggs@example.com'; 
$password = 'secret1234'; 
$scope = 'qflowapi+openid+offline_access'; 
$grantType = 'password'; 
$options = array( 'http' => array( 
   'header' => 'Content-type: application/x-www-form-urlencoded\r\n', 
   'method' => 'POST', 
   'content' => 
      'client_id=' . $clientId . 
      '&client_secret=' . $clientSecret . 
      '&username=' . $username . 
      '&password=' . $password . 
      '&scope=' . $scope . 
      '&grant_type=' . $grantType ) ); 
$context = stream_context_create($options); 
$result = file_get_contents($url, false, $context); 
$obj = json_decode($result); 
$accessToken = $obj->{'access_token'}; 
echo $accessToken;

CSharp

var url = "https://identity.qflowhub.io/core/connect/token"; 

var clientId = "acme_resowner"; 
var clientSecret = "96184159-60d4-4ad4-a11e-0ff3ddcc6678"; 
var username = "{enterprise_pin}/joe.bloggs@example.com"; 
var password = "secret1234"; 
var scopes = "qflowapi+openid+offline_access"; 
var grantType = "password"; 
var sc = new StringContent( 
   "client_id=" + clientId + 
   "&client_secret=" + clientSecret + 
   "&username=" + username + 
   "&password=" + password + 
   "&scope=" + scopes + 
   "&grant_type=" + grantType, 
   UnicodeEncoding.UTF8, 
   "application/x-www-form-urlencoded"); 

using (var client = new HttpClient()) 
{ 
   var result = await client.PostAsync(url, sc); 
   dynamic json = JsonConvert.DeserializeObject(await result.Content.ReadAsStringAsync()); 
   var token = json.access_token; 
   Console.WriteLine(token.ToString()); 
}

Using Refresh Tokens

When your access token expires (after 3600 seconds/1 hour), you can use the refresh token to get a new access token without requiring the username and password again.

Request

POST https://identity.qflowhub.io/core/connect/token

Content-type: application/x-www-form-urlencoded

client_id=acme_resowner&client_secret=cb818203-d58c-4bf7-a66a-43522716cf69&grant_type=refresh_token&refresh_token=2573de01ab1b8a1d0bb3b1ac4dd0b3ca

Response

{     
    "access_token" : "0c2755f5d36af99a5348e975238c757e",     
    "expires_in" : 3600,     
    "token_type" : "Bearer",     
    "refresh_token" : "83ad01892763ea5069999c52b5b373e4" 
}

PHP

$url = 'https://identity.qflowhub.io/core/connect/token';  
$clientId = 'acme_resowner'; 
$clientSecret = '96184159-60d4-4ad4-a11e-0ff3ddcc6678'; 
$refreshToken = '2573de01ab1b8a1d0bb3b1ac4dd0b3ca'; 
$grantType = 'refresh_token'; 
$options = array(     
   'http' => array(         
   'header' => 'Content-type: application/x-www-form-urlencoded\r\n',         
      'method' => 'POST',         
      'content' => 'client_id=' .             
         $clientId . '&client_secret=' .             
         $clientSecret . '&grant_type=' .  
         $grantType . '&refresh_token=' .             
         $refreshToken));  
$context = stream_context_create($options); 
$result = file_get_contents($url, false, $context); 
$obj = json_decode($result); 
$newAccessToken = $obj->{'access_token'}; 
$newRefreshToken = $obj->{'refresh_token'}; 
echo $newAccessToken;

CSharp

var url = "https://identity.qflowhub.io/core/connect/token"; 
var clientId = "acme_resowner"; 
var clientSecret = "96184159-60d4-4ad4-a11e-0ff3ddcc6678"; 
var refreshToken = "2573de01ab1b8a1d0bb3b1ac4dd0b3ca"; 
var grantType = "refresh_token"; 

var sc = new StringContent(     
   "client_id=" + clientId +     
   "&client_secret=" + clientSecret +     
   "&grant_type=" + grantType +     
   "&refresh_token=" + refreshToken,     
   UnicodeEncoding.UTF8,     
   "application/x-www-form-urlencoded");  

using (var client = new HttpClient()) 
{     
   var result = await client.PostAsync(url, sc);     
   dynamic json = JsonConvert.DeserializeObject(await result.Content.ReadAsStringAsync());     
   var newAccessToken = json.access_token;     
   var newRefreshToken = json.refresh_token;     
   Console.WriteLine(newAccessToken.ToString()); 
}

Important Notes about Refresh Tokens

  • Since we use offline_access scope, refresh tokens don't expire (unless revoked)

  • Each refresh token is single-use - once used, you receive a new refresh token in the response

  • Store refresh tokens securely as they're long-lived credentials

  • No username/password needed when using refresh tokens

  • The new access token will have the same scopes as the original