Skip to main content

How to update SRG-SSR OAuth Security

OAuth is an authorization protocol that enables apps to access information on behalf of users without requiring users to divulge their username and password.

The Bearer Token is valid for 7 days and no longer 21 days, so adjust the code accordingly.

With OAuth, security credentials (such as username/password or key/secret) are exchanged for an access token. For example:

joe:joes_password (username:password) or

Nf2moXXXXXXeUmXVdDhlXXXaXm2U7eMc:unUOXYpPe74ZfLEb (key:secret)

becomes something like:


The access token is a random string of characters and is temporary (it should expire after a relatively short time), so passing it around to authenticate a user in an app workflow is much more secure than passing around actual credentials.

oauth client credential flow illustration


If you have never used the our service before then first go to My Apps, log in if asked and click the ADD A NEW APP button. Fill in a name for your app. The callback URL can be left empty. Click 'CREATE APP'.

Click on your newly created app and notice the values of 'CONSUMER KEY' and 'CONSUMER SECRET'.

These are your credentials in the call to the accesstoken endpoint. Do not use your own username and password for any API calls!

Please make a HTTP:POST request for accessToken by passing Client_Credentials like below.

curl -X POST \
  '' \
  -H 'Authorization: Basic base64<ClientId:CleintSecret>' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Length: 0' \
  -H 'Postman-Token: XX264e32-2de0-f1e3-f3f8-eab014bbXX76'


  "issued_at" : "1466025769306",
  "application_name" : "716bbe61-f14a-4d85-9b56-a62ff8e0d347",
  "scope" : "",
  "status" : "approved",
  "api_product_list" : "[helloworld_oauth2-Product]",
  "expires_in" : "3599", //--in seconds
  "" : "",
  "token_type" : "BearerToken",
  "client_id" : "XXnREu1DNGfiwzQZ5HUN8XXUwZSW1GZW",
  "access_token" : "XXPY9VUHCqKVMRBXXHxnmAp0RXc0",
  "organization_name" : "myOrg",
  "refresh_token_expires_in" : "0", //--in seconds
  "refresh_count" : "0"

Please use received accessToken for OAuth protected API endpoint for access.

curl -X GET \
  '' \
  -H 'Authorization: Bearer <accesstoken>' \
  -H 'Cache-Control: no-cache' \
  -H 'Postman-Token: 561XX353-805e-4974-66XX-5efXX86e2d80'

Whatch our short video, how we do that with Curl and Postman:


Video file

About us

The SRG SSR API team is proud to share our data for the friends, community, customer and partners.