Step 4: Get the access token
Added by IBM contributorIBM | Edited by IBM contributorAlex Leiskau on February 20, 2015
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

In this step, the request token is exchanged for an access token. The access token expires after 10 hours.
After the expiration, the application must start the OAuth flow from Step 2: Get a request token using a server-to-server call to following URL:


The following image shows this process in more detail:

Get the access token

The following required parameters are sent during the process of getting a access token:

Table 1. Required parameters
The OAuth consumer key.
Random string to avoid replay attack. Because IBM Connections Cloud uses only PLAINTEXT signature method over HTTPS, this parameter is not checked for replay attack. However it is important to specify some value.
This parameter specifies a signature algorithm. Connections Cloud supports only PLAINTEXT.
You should sign the request by specifying the signature.+
Set the value as an integer that represents the time the request is sent. The timestamp should be expressed in number of seconds after January 1, 1970 00:00:00 GMT. Because Connections Cloud uses only PLAINTEXT signature method over HTTPS, this parameter is not checked for replay attack. However, it is important to specify some value.
The verification code received in Step 3: Obtain authorization.
The OAuth version used by the requesting web application. The value should be 1.0.

Connections Cloud supports the following ways to send these parameters:
  • Authorization header of a GET or POST request. Use Authorization: OAuth.
  • Body of a POST request. Make sure that the content type is Content-Type: application/x-www-form-urlencoded.
  • URL query parameters in a GET request.

Response codes

Successful responses return response code 200 with the access token and the access token secret, for example:


Bad requests return response code 400 and one of the following parameters:
  • oauth_absent_parameters
  • oauth_duplicated_parameters
  • oauth_unsupported_parameters
  • oauth_invalid_parameters
  • oauth_unsupported_signature_method
Unauthorized requests return response code 401 and one of the following parameters:
  • oauth_invalid_signature
  • oauth_invalid_consumerkey
  • oauth_invalid_consumersecret
  • oauth_missing_consumersecret
  • oauth_missing_tokensecret
  • oauth_invalid_requesttoken
  • oauth_token_expired
  • oauth_token_not_verified
Parent topic: OAuth 1.0a APIs for web server flow
Previous topic: Step 3: Obtain authorization
Next topic: Step 5: Make the API call