Before anything can be done with the API, an access token needs to be requested using the Client ID / Client Secret from the API key (for more information about setting up API Users and API keys, see the following articles or consult your Eploy implementation manager):
Access tokens remain valid for 60 minutes.
API ENDPOINT
POST /api/token
HEADERS
Content-Type: application/json
BODY
{
"grant_type": "client_credentials",
"client_id": "BeTHmFqdEimondIhWNfv",
"client_secret": "SLWAGEFxNSDsHoECRHKT"
}EXAMPLE RESPONSE
{
"access_token": " cO72pIfaO6P9cA0g6F8D09455i54T27N84dxk8a8",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "actions.insert,actions.read,actions.update,applications.read,candidates.read,companies.read,contacts.read,export.insert,export.read,files.read,payrates.read,paysalaries.read,placements.read,users.read,vacancies.read,vacancytemplates.read,workflows.read"
}You can specify "scope" when requesting a new token to reduce the access of the API Token returned via the API request, however, this is not required. If "scope" is not specified in the token request, the token will simply allow all permissions that have been allocated to your API key. The scope is returned as part of the response when requesting the token, along with the “access_token” itself and “expires_in”, which tells you how many seconds the token is valid for.