GuidesAPI Reference
Guides
  1. HERE Identity and Access Management
  2. Manage your individual or organization platform account

Manage API and OAuth access

OAuth offers greater flexibility and security over API-based authentication, making it a popular authentication method when creating new apps on the HERE platform. This topic demonstrates how to migrate from API-based authentication to OAuth-based authentication.

For more information on configuring your app for OAuth, see OAuth 2.0 tokens.

Ensure your apps use the correct token

OAuth tokens are passed in the authorization header as a bearer token. Update your applications to include a token in the header so that they can make calls to HERE REST APIs.

-H "Authorization: Bearer {YOUR_TOKEN}"

For more information, see:

Configure app scoping permissions

When migrating, you must decide on what specific scopes you offer to the apps in your realm. These scopes determine what projects or resources can be accessed by your apps. Any resource linked to a project can only be accessed by an app with scope for the linked project.

However, accessing unscoped projects and resources requires an unscoped access token. To request an unscoped access token, generate an access token without using the scope parameter.

For more information on managing an app's scope, see:

Notify your users of token lifespans

For security purposes, OAuth access tokens have a limited lifespan. The default maximum lifespan for an access token is 24 hours. However, this default may be changed when creating the token via the expiresIn property.

When creating your OAuth refresh token, the expiration date can be seen after the token is created:

{
    "accessToken": "eyJhbGciOiJSUz...omKF5Mg-sBjryw",
    "expiresAt": "2025-01-01T16:16:14.388Z"
}

For more information, see the HERE OLP CLI user guide on API tokens.

Remove API keys in source control

When testing your app, it's possible to accidentally include your API key in files stored by your version control system, which can lead to security issues until the API key is fully deprecated from usage.

As part of the migration process, review your version control system and remove any commits or artifacts that contain your API key.

Updated 28 days ago