Request an OAuth 2.0 access token that identifies your identity

Grant Types:

Client Credentials Grant Type [client_credentials]

• Request a client token that identifies your application by providing your client credentials.
  • Use grant type - client_credentials
  • An optional scope can be added to the request body to request a project scoped access token
  • This API requires clients to use certain OAuth Core signature headers. The request must be signed with the provisioned client access key secret (here.access.key.secret) as documented in Signing Requests
  • Developers may wish to try out the sample Java code in documentation demonstrating this API

Token Exchange Grant Type [urn:ietf:params:oauth:grant-type:token-exchange]

• Create a new HERE access token via exchange of an existing trusted OpenID Connect Identity Provider access token.
  • Use grant type - urn:ietf:params:oauth:grant-type:token-exchange
  • Client authentication via the Authorization header is not required
  • The subject_token identifies the access context in the third-party issuer's identity namespace, and the "sub" claim within that token uniquely identifies the security principal within that identity provider's namespace
  • If used with a IdentityProvider that is configured for accountType=device, and a "sub" claim is present, a DeviceAccount is created upon first token exchange and re-used for subsequent tokens with the same "sub" claim value
  • See also OAuth 2.0 Token Exchange

External Issuer Grant Type [jwtIssNotHERE]

• Sign In with OpenID Connect compliant OEM token
  • Use grant type - jwtIssNotHERE
  • The OEM access token is used in the authorization header