Skip to main content

Cookie control banner

Necessary Cookies
These cookies are necessary for this website to function correctly. They are set when you perform certain actions on the site, such as creating an account, logging in, changing your privacy preferences or submitting a form. You can block these cookies in your browser, but this will stop parts of the site from working properly.
Functional Cookies
These cookies allow the website to provide extra functionality and more personalised experiences. They may be set by us or by third party providers whose services we have added to our pages. If you choose not to allow these cookies, these services may not work correctly.
Analytical Cookies
These cookies record anonymous data on how visitors use our website to help us monitor how well our website works. This data includes how many people have looked at specific pages, how long visitors stay on the site, and what devices they use. We use this data to identify changes that we could make to improve your experience and make our website more efficient.
Marketing Cookies
We set some cookies so you are shown more relevant marketing content. These include cookies from third-party advertising networks to show you different adverts on their services if you have previously visited our site. If you choose not to allow these cookies, you may experience less relevant advertising on other sites.
Browse Documentation


Created by r.turner, last modified by s.yearsley on 24 Sep 2020

Bearer token

On a successful authentication response the access_token value must be set as the Authorization HTTP header for all REST requests and must be formatted as follows:

Authorization: bearer {access_token}

Periodically the access token will expire to ensure that if compromised, then any grants are short lived. This expiry can be forecast by using the expires_in value returned from an authentication response or can be handled by catching a 401 - Unauthorized response.

401 - Unauthorized

{ "message": "Authorization has been denied for this request." }

On an expiry a new access token will need to be requested using the same mechanism as the initial token request.

Note - If you want to implement your own Delivery API wrapper, then it must implement the OAuth 2.0 client credential flow using the discovery document located at https://*YOUR_CMS_URL*/authenticate.