How to get authorization token

To use GraphQL Subscriptions we need to send authorization headers

  "Authorization":"Bearer <SET_TOKEN>"

How can we get token for our end user to subscribe from a browser?

Hi @Amerehei,

How are you getting the OAuth bearer token for other API calls? If you have the bearer token for the other API calls, you should be able to use the same token with a subscription call as well.

If you aren’t able to get the token from your app let me know and we can figure out a solution.

@Kevin We are using the Bot Token for server-side communication, But we can’t use that token on the client side.

Hi @Sathish,

Thanks for the clarification. You can get a bearer token using OAuth2 in the same way the your web application is getting the bearer token.

You can use our new OAuth2 v3 code flow, which follows the same structure as v2 OAuth code flow.

OAuth Authorization URL:

Authorization Token endpoint:

You will need to:

  1. Create your application to get clientId/clientSecret with redirect to your server
  2. In server code set, endpoint, scope, response_type, etc
const base_API = "";
const base_auth_url = `https://${base_API}/v3/oauth2/authorize`;
const token_endpoint = `https://${base_API}/v3/oauth2/token`;

const authType = "code";
const client_scope = "scope=v2legacy";
const client_id = "<yourClientId>";
const client_secret = "<yourAppSecret>";
const client_redirect = "http://localhost:3001/auth/callback";
  1. In web browser (or URL redirect from server), make call to Bluescape authorization server with your application clientId and redirect URL:<yourClientId>&redirect_uri=http://localhost:3001/auth/callback&scope=v2legacy%20offline_access

  2. After user authorizes access from UI presented from step3, access code is returned to client_redirect

  3. Server uses token endpoint with returned client_redirect to get bearer token tied to the user that granted access

example config:

getBearerToken.axios.congig =  {
  method: 'post',
  maxBodyLength: Infinity,
  url: '',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  data: URLSearchParams {
    'grant_type' => 'authorization_code',
    'client_id' => '<yourClientId>',
    'client_secret' => '<yourClientSecret>',
    'redirect_uri' => 'http://localhost:3001/auth/callback',
    'code' => '<yourAccessCodeReturnedFromAuthorizationCallback>' }

sample response with bearer token and refresh token:

  access_token: '<yourBearerToken>',
  expires_in: 3600,
  refresh_token: '<refreshTokenUsedToGetNewBearerToken>',
  scope: 'v2legacy',
  token_type: 'Bearer'
  1. Server can continue to generate new bearer token from refresh token, so the manual authorization wouldn’t need to be done unless refresh token was expired (which I believe is one year)

You can then use the bearer token for subscription or any other API call.

Please let me know if you have any additional questions.

@kkoechley Can you refer me to the documentations to have list of scopes?

Hi @Amerehei,

We currently only support scope=v2legacy which will give the same permissions in the API token as the user that authorized access.

If you want to control permissions of your API application, you can create a user, say “” and then you can add the bot user to workspaces and grant permissions just like any other user.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.