Generating Client Credentials to Obtain Access Token

In order to use either of the public APIs, you need to first get an access token to authorize your API calls.

In order to get an access token, you need to submit your client credentials to the authorization endpoint (which then returns an access token and a refresh token).

In order to get client credentials, you must create a custom client configuration in the Echo360 UI. Don't worry; this part is easy.

Be prepared to copy the ID and Secret you generate to a separate (but secure) location; you will receive this information only once. If you lose it and need it later, you will need to generate a new API client.

To generate API client credentials

  1. Log into Echo360 as an administrator.
  2. Click the Settings icon in the top right corner (it looks like a gear) and select Configurations from the settings menu.
  3. Select API client configurations from the options on the left.
    API Client configurations page with fields for steps as described
  4. The Grant Types sliders are both enabled by default. Disable the Password Credentials slider.
  5. Enter a Client Label that identifies this client and its use.
  6. Click SAVE.
    A popup box appears containing the Client ID and Client Secret, both of which are required to generate the initial access token to use with API calls.
    client ID and secret generated for access as described
  7. Copy and paste the ID and Secret into Notepad or other location. You will NOT receive the secret again, however the Client ID will be available in the Existing Client list for the client you are creating. If you have multiple API client configurations, the new one will appear at the bottom of the Existing Clients list.
    client configurations page showing newly generated API client information

The Client ID and refresh token can be used to generate a new access token, meaning you only need to provide the ID and Secret once to obtain the first access token and a refresh token. Access tokens expire after one hour; refresh tokens never expire but can only be used once. New refresh tokens are generated with each access token.

At this point, you can run a POST call to the access token endpoint using your preferred API client, or you can use the access token endpoint available through Swagger Docs.