Server-to-Server Authentication

Also known as (Client Grant Credentials in Oauth Spec)

EduFocal uses API keys to authenticate requests from third party services. You can obtain your API keys by contacting

Be sure to keep your keys secure. Do not share your keys publicly or commit them to your repository, nor embed in your web pages that you serve to your users.

Authentication is performed via bearer auth, that is you pass in the Authorization header with the bearer token specified.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

You can get a bearer token by submitting a request to the /oauth/token endpoint:

async function getBearerToken() {
  let credentials = {
    'grant_type': 'client_credentials',
    'client_secret': 'zEzCZpPcWJkOa8Rdi54zTeJT1Ja8vP2HeNMb5gut',
    'client_id': 3,
    'scope': 'plans.list codes.manage'

  let response = await fetch('/oauth/token', {
    method: 'POST',
    mode: 'cors',
    cache: 'no-cache',
    headers: {
      'Content-Type': 'application/json',
      'Accept': 'application/json'
    body: JSON.stringify(credentials)

  let bearerToken = await response.json();
  return bearerToken;

console.log(await getBearerToken());

Here we are using our client credentials to request the scopes: plans.list and codes.manage. Scopes are special privileges that you must be pre-approved to use during your account setup. You are granted these privileges on a case-by-case basis. You are still required to specify what scopes you want your bearer token to have.

If all goes well, you will get a response that looks like:

    "token_type": "Bearer",
    "expires_in": 259200,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6I..."