Getting a token

This example shows you how to get and use a bearer access token. Most Venafi REST calls have a grant scope and restriction. Depending on your third-party application, you may need other scopes as well. To get a token, you must pass the required scopes(s) and restriction(s) to the VEDauth authentication server. Otherwise, subsequent API calls may fail.

Once you have the token, you can pass it in the header of other API calls until the token expires. When it expires, you use the refresh token to get a new bearer access token. When you are done with a token, always call GET Revoke/Token.


Register an API Integration and give the caller access. Use the scope and other information from the integration. For more information, see Setting up token authentication.

Client ID is the Application ID

To get a token

  1. To get a scope that applies to all of the API calls that your client runs, use the Scope map for tokens.
  2. Make an Authorize call. Specify the scope that grants access to a set of endpoints.

    TIP  If your implementation has several REST calls, the scope parameter request grants for every REST call. You pass the same token for each call. To find scopes and privilege restrictions, use the Scope map for tokens.

    POST https://tpp.venafi.example/vedauth/authorize/oauth


    You get an access bearer token and a refresh token for your API calls.

    HTTP/1.1 200 OK
  3. (Optional) Store the refresh_token for future use. When the token expires, use the value to call POST Authorize/Token refresh.
  4. Place the access_token in the REST header of other Venafi REST API calls. For more information, see Passing a bearer token in your API calls. For example:


    Authorization:Bearer "KT2EEVTIjWM/37L78dqJAg=="

    TIP   Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.