#Get the Access Token

Based on the credentials of an app registration in Elements, refer to the following sections:

#Client Secret

If you want to get the access token with a client secret in an app registration, follow the instructions below to send a POST request:

1. Set the access token URL: https://identity.avepointonlineservices.com/connect/token.

2. Set the header to Content-Type: application/x-www-form-urlencoded.

3. Set the following parameters in the request body:

   • client_id – Copy the Application (Client) ID value in the app registration and paste the value here.

   • client_secret – Copy the Client Secret value that has been saved upon the creation of the app registration, and paste the value here.

   • scope – Set the scope, which is the assigned permissions. Please ensure the permissions have been configured in the app registration.

   • grant_type – Set this value to client_credentials.

4. In the response, the access_token node represents the token value, the expires_in node represents the token will expire in how many seconds, and the scope node lists the assigned permissions of the app registration.

You can use Postman to test the POST request as below:

#Certificate

Once you have the application (client) ID, get the access token via the application (client) ID to authenticate with Elements APIs.

The following information is required to get an access token:

Element	Description
Identity Service URL	https://identity.avepointonlineservices.com
Application (Client) ID	The application (client) ID you have retrieved.
Certificate	The corresponding .pfx certificate file of the .cer certificate you used when registering the app.

To get the access token using the above information, create a JSON web token using the Client ID and certificate first, and then use the JSON web token to request an access token of the defined scope from Identity Service.

Below is an example for getting the access token.

var identityServiceUrl = "{https://identity.avepointonlineservices.com}";var client = new HttpClient();var disco = await client.GetDiscoveryDocumentAsync(identityServiceUrl);if (disco.IsError){ return;}var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest{ Address = disco.TokenEndpoint, ClientAssertion = new ClientAssertion() { Type = OidcConstants.ClientAssertionTypes.JwtBearer, Value = CreateClientAuthJwt(disco) }}if (tokenResponse.IsError){ return;}return tokenResponse.Jsonprivate static string CreateClientAuthJwt(DiscoveryDocumentResponse response) { var clientId = "{Client ID}"; var certificateThumbprint = "{Certificate Thumbprint}"; // set exp to 5 minutes var tokenHandler = new JwtSecurityTokenHandler { TokenLifetimeInMinutes = 60 }; var securityToken = tokenHandler.CreateJwtSecurityToken( // iss must be the client_id of our application issuer: clientId, // aud must be the identity provider (token endpoint) audience: response.TokenEndpoint, // sub must be the client_id of our application subject: new ClaimsIdentity( new List { new Claim("sub", clientId), new Claim("jti", Guid.NewGuid().ToString())}), // sign with the private key (using RS256 for IdentityServer) signingCredentials: new SigningCredentials( new X509SecurityKey(new X509Certificate2(LoadCertificate(certificateThumbprint))), "RS256") ); return tokenHandler.WriteToken(securityToken); }private static X509Certificate2 LoadCertificate(string certificateThumbprint) { var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); var vCloudCertificate = store.Certificates.Find( X509FindType.FindByThumbprint, certificateThumbprint, false)[0]; return vCloudCertificate; }

*Note: The token you get will expire in one hour, and you need to get the token again after the expiration.