Skip to main content
Browse Documentation


Created by r.turner, last modified by s.yearsley on 24 Sep 2020

Bearer token

On a successful authentication response the access_token value must be set as the Authorization HTTP header for all REST requests and must be formatted as follows:

Authorization: bearer {access_token}

Periodically the access token will expire to ensure that if compromised, then any grants are short lived. This expiry can be forecast by using the expires_in value returned from an authentication response or can be handled by catching a 401 - Unauthorized response.

401 - Unauthorized

{ "message": "Authorization has been denied for this request." }

On an expiry a new access token will need to be requested using the same mechanism as the initial token request.

Note - If you want to implement your own Delivery API wrapper, then it must implement the OAuth 2.0 client credential flow using the discovery document located at https://*YOUR_CMS_URL*/authenticate.