Authentication and Authorization API Developer's Guide

Requesting a Token

Once you have an access key and signature, you can request a token using the token REST API. A typical request includes these elements:

URL

https://account.api.here.com/oauth2/token

HTTP Header

Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="<Access Key>",
oauth_nonce="<Random string, uniquely generated for each request>",
oauth_signature="<Signature>",
oauth_signature_method="HMAC-SHA256",
oauth_timestamp="<Epoch seconds>",
oauth_version="1.0"

The parameters in the HTTP header are described in this table.

Parameter	Description
oauth_consumer_key	The access key ID for which you want to generate a token. For instructions on creating an access key, see Setting up your team and permissions. In the credentials file that you download when you create an access key, the access key ID is the value in the here.access.key.id property.
oauth_nonce	A unique string for this signature. The string cannot have been used in a previous signature. Each request to the Authentication and Authorization API must have a unique signature, and the value in this parameter is what is used to ensure the signature is unique.
oauth_signature	An OAuth 1.0 HMAC-SHA256 signature. For more information, see Creating a Signature
oauth_signature_method	Always use "HMAC-SHA256"
oauth_timestamp	The number of seconds since the Unix epoch at the point the request is generated. The HERE Open Location Platform rejects requests created too far in the past or future.
oauth_version	Always use "1.0"

Request Body

The request body must contain:

grant_type=client_credentials

Note: The value for grant_type must always be client_credentials.

Here is an example request:

POST /oauth2/token HTTP/1.1
Host: account.api.here.com
Authorization: OAuth oauth_consumer_key="1tqA_sample1fLhs2z6_q1l",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1512072698",oauth_nonce="ZGAaMP",oauth_version="1.0",oauth_signature="Q0sample4lqICrx19%2F4ahaH%2Fi2O0NgqDUQJgti5U3Q%3D"
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
 
grant_type=client_credentials

Response

The response body contains:

Parameter	Description
access_token	A token you can use to authenticate REST requests.
token_type	The type of token issued by the Authentication and Authorization API. This value will always be "bearer" since the API issues bearer tokens.
expires_in	The number of seconds until the token expires. Tokens expire 24 hours after they are issued.

Here is an example response:

{
  "access_token":"VE5URXlJbjAuLmE4S0l4eVpQVE1zbHRwcnQyZ1BSVGcuS3RHT2V...",
  "token_type":"bearer",
  "expires_in":86399
}

Now that you have a token, continue to Using a Token.