POST Authorize/OAuth

Obtains an authorization token. The Venafi Authorization End Point (VEDauth) returns a bearer access token and other information.

CAUTION   As with all tokens and credentials, you should secure your bearer tokens. Do not share tokens with other users or applications. If necessary, you can call GET Revoke/Token, and then retry this API call.


You must define an API Application Integration in Aperture and give the caller access. In this API call, use the scope, privilege, and Application ID as the client id. For more information, see Setting up token authentication.

Client ID is the Application ID

Required Permissions

The caller is not required to have any special permissions.


  • Content type: For example, Content-Type:application/json.

  • No bearer access token is necessary for this API call.


In the request URL, specify vedauth. For example, POST https://tpp.venafi.example/vedauth/authorize/oauth. All parameter names are case sensitive.

Input parameters




The application ID identifies an integration, application, or client that uses this REST API.

Use the same values that appear in the Aperture configuration settings for the API Applications Integration. For example, use the Application ID as the client_id. For more information, see Creating API application integrations.

Client ID is the Application ID


The API caller's password, which is already set in the local, AD, or LDAP identity provider.


The set of scope and privilege restrictions that match all of the requirements for the various API calls your application makes. Be sure to set the various scopes you need with settings from the Aperture Configuration for API Application Integration. The settings must match the method requirements in the Token auth map. Otherwise, when you pass the token with your API calls, the calls may fail. For more information, see Token Auth scope and Token Auth privilege restrictions. Specify each scope followed by the privilege, if any:

  • [No scope]: An Authorize/OAuth call is not necessary because future APIs that you are using do not require an access token.
  • Single scope, no privilege restriction: Specify just the scope to get read access. For example, certificate.
  • Single scope and privilege restrictions: Comma separate each privilege. For example, certificate:manage,discover.
  • Multiple scopes, no privilege restrictions: Delimit each scope with a semicolon (;) to get read access. For example, configuration;certificate;ssh.
  • Multiple scopes and privilege restrictions: Delimit each scope with a semicolon (;). If a scope requires a privilege, prepend a colon before the corresponding privilege. Comma separate privileges. For example, certificate:discover,manage,delete;configuration:manage.


(Optional) A session state, redirect URL, or random string to prevent Cross-Site Request Forgery (CSRF) attacks.


The API caller's username, which is already set in the local, AD, or LDAP identity provider. Valid formats:

  • Identity provider (Include the prefix): For example, LDAP+ODSEE:Admin, or AD+venqa:Administrator.
  • User Principal Name (UPN): For example,
  • SAM account name: For example:\Administrator.


For invalid requests, this method returns Error and a message.

On success, the Authorization server returns a HTTP 200 and the following data that applies to the Trust Protection Platform user.

Response description



HTTP 200

For valid requests, Authorize/Oauth returns a HTTP 200 message; and the following data:

  • access_token: A bearer access token. Represents authorization to use the requested scope.
  • refresh_token: Appears only if Refresh Token is enabled in the Remote Access Tree or the API Application Integrations page. The refresh token to use when access_token expires or becomes invalid. To refresh, call POST Authorize/Token refresh.
  • expires_in: The number of seconds until the token expires. For example, 7775999 is 90 days.
  • expires: The expiration time stamp in the Epoch format. The length of time varies based on WebAdmin Remote tree settings.
  • token_type: The description or grant type of the access_token is Bearer.
  • scope: The access token scope that is the authorized range of resources that the client can use.
  • identity: The identity provider and GUID that identifies the user.
  • refresh_until: Represents when the grant expires. The time is represented in epoch time. After this limit has been reached the refresh_token will no longer work and you will need to obtain a new grant via POST Authorize/OAuth.

HTTP 400

Invalid requests return a HTTP 400; it includes one of the following statuses.

  • Application identifier is missing

  • Missing username or password

  • Username/Password authentication not enabled

HTTP 401

If there are authentication errors, this API call returns a HTTP 401; it includes one of the following:

  • Failed to issue grant: [error]

  • Username/password combination not valid

HTTP 403


Example: Use the correct scope; get a bearer token


POST https://tpp.venafi.example/vedauth/authorize/oauth


HTTP/1.1 200 OK