API Reference


The preferred authentication method is to include an Authorization header with the value of Basic <client_id:client_secret> in your request. The body of the request must be grant_type=client_credentials.

If your user agent cannot set the Authorization header, you may include the client_id and client_secret in the body of the request as form encoded parameters. The body of the request would then be grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>.

The client can optionally specify a scope parameter to limit the scope of the returned access token. In turn, the server uses a scope response parameter to inform the client of the scope of the actual access token issued. The actual scope returned may not match the scope requested.
Subsequent requests to Workiva APIs are authorized using the bearer token.

POST /oauth2/token


client_idbodystringfalseA previously obtained client id.
client_secretbodystringfalseA previously obtained client secret.
grant_typebodystring(^client_credentials$)trueThe grant type for the Bearer token. Must be client_credentials.
scopebodystringfalseThe scope of the access request.

Body parameter example

client_id: string
client_secret: string
grant_type: string
scope: string

Code Samples

curl -X POST https://api.app.wdesk.com/iam/v1/oauth2/token  \ 
-H 'Content-Type: application/x-www-form-urlencoded' \ 
-H 'Accept: application/json'
http POST https://api.app.wdesk.com/iam/v1/oauth2/token  \ 
Content-Type:application/x-www-form-urlencoded \ 
wget --method=POST "https://api.app.wdesk.com/iam/v1/oauth2/token" \
 --output-document -  \ 
 --header 'Content-Type: application/x-www-form-urlencoded' \ 
 --header 'Accept: application/json'
import requests
headers = {
  'Content-Type': 'application/x-www-form-urlencoded',
  'Accept': 'application/json'

r = requests.post('https://api.app.wdesk.com/iam/v1/oauth2/token', headers = headers)



200 - OK

Bearer token to use in subsequent requests to the Workiva APIs.

400 - Bad Request

Error response object containing an error code.

401 - Unauthorized

Error response object containing an error code.

Example Responses

  "access_token": "string",
  "expires_in": "integer",
  "scope": "string",
  "token_type": "string"
  "error": "string",
  "error_description": "string",
  "error_uri": "string"
  "error": "string",
  "error_description": "string",
  "error_uri": "string"