Step 4: Use the access token to allow API access
Added by IBM contributorIBM | Edited by IBM contributorAlex Leiskau on February 19, 2015
Rate this article 1 starsRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Now that the access token is available, you can make the API call. Be sure to include the access token in the authorization header when you invoke the API.

Use the access token to allow API access

The short-lived access token can be used for two hours to access the protected resources. After the access token expires, use the long-lived refresh token to obtain a new access token. The refresh token that is used to obtain new access tokens can be used for 90 days by default.

API details

If you want to make an API call to any of the protected resources in IBM Connections Cloud™, use the following URI:


The following parameter is required:

Table 1. Input parameter
The access token that is used as a bearer token to access the protected resource. The access token is valid for two hours from time it is granted. The maximum number of characters is 256.

Connections Cloud supports sending these parameters via an authorization header of a GET or POST request. Use Authorization: Bearer.

Example URI

Authorization: Bearer <access_token>

If the access token is valid for the protected resource on Connections Cloud, access is granted. If you call getUserIdentity as described in the example URI above, user information such as subscriber ID, customer ID, name, and email are returned.

Note: For a list of Connections Cloud protected resources that can be integrated with your application, including APIs for files, activities, communities, and more, see the" target="external">API Referenceexternal link in the Social Business Development wiki.

Response codes and messages

Successful requests return a 200 response code. If your request is unsuccessful, refer to the following error codes and explanations:

BAD REQUEST (400): oauth_absent_parameters: <parameter_list>
The parameter_list parameters must be included in the request.
BAD REQUEST (400): oauth_duplicated_parameters: <parameter_list>
Duplicate parameters were passed in the request.
BAD REQUEST (400): oauth_unsupported_parameters: <parameter_list>
Unsupported parameters were passed in the request.
BAD REQUEST (400): oauth_invalid_parameters <parameter_list>
Invalid parameters were passed in the request.
UNAUTHORIZED (401): oauth_invalid_accesstoken
The access_token parameter is not valid.
UNAUTHORIZED (401): oauth_access_token_expired
The access token has expired.
UNAUTHORIZED (401): Service Component not found
The application associated with the credentials that were passed with the request cannot be found in Connections Cloud.
UNAUTHORIZED (401): oauth_consumer_missing_subscription
The user is not subscribed to this application.
OAuth 2.0 is not supported at this time. Contact your administrator.
INTERNAL SERVER ERROR (500): oauth_request_failed
The OAuth flow failed. Try again or contact the administrator.
Parent topic: OAuth 2.0 APIs for web server flow
Previous topic: Step 3: Exchange authorization code for access and refresh tokens
Next topic: Step 5: Get a new access token after the access token has expired