COVID-19 Update: A message to our Customers, Partners, and SALTO Systems Community. Read more.

Resource Owner Password Flow

WARNING: This page describes authentication flow that should only be used for legacy systems. It is not secure, and has been criticized multiple times. We provide it here because we have integration partners that use this flow.

We use OpenID & OAuth for authentication. There are several different flows you can follow for authentication but by default your tenant will be activated for the Authorization Code Flow. The following steps describe how to get an access token using Postman using the Password Grant flow. This flow should generally not be used in production, but it is easy to test API calls with it. Ask [email protected] to change the authorization flow for you if you want use the Password Grant flow. Postman also supports other authorization flows, but this is a bit more manual work to set-up.

1Setting up your environment
Resource Owner Password Flow 1

Setup an environment in postman with these 4 variables. Of course don't forget to change the URL's of the servers to the environment your using.

2Creating the request
Resource Owner Password Flow 1

Create a POST request to {{identity_server_url}}/connect/token. The value span class="dev-code-white">{{identity_server_url}} will automatically be replaced by the URL you have put in your environment variable.

Add Basic Auth as authorization to your request and for the username use your Client ID and for the password use your Client Secret.

3Adding the body
Resource Owner Password Flow 3

Add a body to the request with the following keys and values. In the username and password field you have to fill in the user email and user password for the SALTO KS user you created earlier.

4Copying the token
Resource Owner Password Flow 4

For this step add the following code to the Tests section of the request. This will automatically copy your access token and refresh token to the environment variables so you don't have to manually copy/paste them every time.

5Getting the token
Resource Owner Password Flow 5

If all goes well, as soon as you hit send, you should receive a response that has the status "200 OK" and the response body should contain an access token.

You are now ready to make API requests!