|
| 1 | +--- |
| 2 | +tags: [app-integration-development] |
| 3 | +--- |
| 4 | + |
| 5 | +# Extended OAuth |
| 6 | + |
| 7 | +<!-- theme: warning --> |
| 8 | +> ### Early Access |
| 9 | +> |
| 10 | +> The features described on this page are in an Early Access state and are subject to change. Your PagerDuty Account may |
| 11 | +> require a feature flag before this functionality is available to you. Please reach out to us if you have any questions or |
| 12 | +> need support. |
| 13 | +
|
| 14 | +## Register an App |
| 15 | +Extended OAuth Clients allow your application to act on a PagerDuty Account as a PagerDuty App. The access your application has to the PagerDuty Account is controlled by the scopes it is granted. Before you start building, you first need to register a PagerDuty App with an Extended OAuth Client. This is done via the Developer Mode UI in your PagerDuty Account. |
| 16 | + |
| 17 | +The `client_id`, `client_secret` and all selected scopes will be used to obtain an access token. |
| 18 | + |
| 19 | +## Obtaining an Access Token |
| 20 | + |
| 21 | +A scoped account token is obtained by making a client credentials request to the token endpoint. |
| 22 | + |
| 23 | +|Parameter|Description| |
| 24 | +|-|-| |
| 25 | +|`grant_type`|The OAuth 2.0 grant type. Value must be set to `client_credentials`| |
| 26 | +|`client_id`|An identifier issued when the client was added to a PagerDuty App| |
| 27 | +|`client_secret`|A secret issued when the client was added to a PagerDuty App| |
| 28 | +|`scope`|A space separated list of scopes available to the client. Must contain the `as_account-` scope that specifies the PagerDuty Account the token is being requested for using a `{REGION}.{SUBDOMAIN}` format.| |
| 29 | + |
| 30 | + |
| 31 | +```bash |
| 32 | +curl -i --request POST \ |
| 33 | + https://identity.pagerduty.com/global/oauth/token \ |
| 34 | + --header "Content-Type: application/x-www-form-urlencoded" \ |
| 35 | + --data-urlencode "grant_type=client_credentials" \ |
| 36 | + --data-urlencode "client_id={CLIENT_ID}" \ |
| 37 | + --data-urlencode "client_secret={CLIENT_SECRET}" \ |
| 38 | + --data-urlencode "scope=as_account-{REGION}.{SUBDOMAIN} incidents.read services.read" |
| 39 | +``` |
| 40 | + |
| 41 | +The access token will be included in a JSON response along with the scopes that were actually issued to the token. |
| 42 | + |
| 43 | +```json |
| 44 | +{ |
| 45 | + "access_token": "pdus+_0XBPWQQ_dfd3c718-4a46-400d-a8ec-45bab1fd417e", |
| 46 | + "scope": "as_account-us.pdt-sample incidents.read services.read", |
| 47 | + "token_type": "bearer", |
| 48 | + "expires_in": 86400 |
| 49 | +} |
| 50 | +``` |
| 51 | + |
| 52 | +The token is valid for the number of seconds specified `expires_in` in the response. |
| 53 | + |
| 54 | +## Using an Access Token |
| 55 | + |
| 56 | +The access token can be used to access the [REST API](https://developer.pagerduty.com/api-reference/) as a PagerDuty App. |
| 57 | + |
| 58 | +When making an API request, include the version of the API in the `Accept` header. Access tokens must also be sent in the request as part of the `Authorization` header along with the `Bearer` token type, using this format: |
| 59 | + |
| 60 | +```http |
| 61 | +Authorization: Bearer pdus+_0XBPWQQ_dfd3c718-4a46-400d-a8ec-45bab1fd417e |
| 62 | +Accept: application/vnd.pagerduty+json;version=2 |
| 63 | +``` |
| 64 | + |
| 65 | +A `403 - Forbidden` response will be returned if the token does not contain the scope required to access a particular API endpoint |
| 66 | +or the API endpoint does not yet support API Scopes. When the token expires a `401 - Unauthorized` response will be returned |
| 67 | +and a new token must be obtained. |
0 commit comments