How to authenticate to the REST API

In order to call the Tracking REST API, each query needs to include an access token for authorization. Three different access token types are supported - user, client, and device tokens.

User token via user Login

User tokens are obtained by logging in with a user's email and password credentials. For more information, see the HERE Tracking API Reference documentation for getting a user access token.

curl -X POST \
  https://{tcHost}/users/v2/login \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "{userEmail}",
    "password": "{userPassword}",
    "realm": "{organizationId}"
}'

This returns a user access token in an accessToken property.

With platform projects, this access token must then be scoped to a specific project so that the HERE Tracking API knows which project the query is attempting to access.

For more information, see Gets a project scoped user access token.

To scope the token to the platform project:

curl -X POST \
  https://{tcHost}/users/v2/tokenExchange \
  -H 'Content-Type: application/json' \
  -d '{
    "accessToken": "{accessToken}",
    "scope": "{projectHrn}"
}'

This returns a project scoped user access token in the accessToken property. Note that this step is not needed for legacy projects.

Client token with application OAuth 2.0 credentials

This token is obtained with an application's OAuth 2.0 credentials (key + secret) and then scoped to a specific project.

Refer to the HERE Identity and Access Management - Developer Guide to create your application credentials, and then obtain the token using the OLP CLI.

However, note that you'll need to provide the project's HERE resource name (HRN) when obtaining the token:

olp api token get --scope {projectHrn}

This returns a project scoped client access token in the accessToken property. Note that legacy projects do not support this token type.

For more information on HRNs, see HRN.