Openmarkets allows your application the ability to issue authenticated requests on behalf of your application itself. This is performed using the OAuth2 Client Credentials Grant.
When using this grant type, your application will not have the context of an authenticated user, and therefore requests will be unauthorised where endpoints require a user context.
# shell example
$ curl -X POST -u '{client_id}:{client_secret}'
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=client_credentials&scope=market-data-api%20news-api%20oms-api'
'https://stage-identity.openmarkets.com.au/connect/token' # for PROD use https://identity.openmarkets.com.au/connect/token
// .Net Example (C#)
var authUrl = "https://stage-identity.openmarkets.com.au/connect/token"; // for PROD use https://identity.openmarkets.com.au/connect/token
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";
var postData = "grant_type=client_credentials&scope=market-data-api%20news-api%20oms-api";
var client = new System.Net.Http.HttpClient();
client.DefaultRequestHeaders.Authorization =
new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.ASCII.GetBytes($"{clientId}:{clientSecret}")));
var result = client.PostAsync(new Uri(authUrl), new StringContent(postData, Encoding.UTF8, "application/x-www-form-urlencoded"));
var tokenJson = result.Result.Content.ReadAsStringAsync().Result;
Request an access token using your client_id and client_secret, along with the list of scopes that you require by making a valid request to https://stage-identity.openmarkets.com.au/connect/token
See each individual API documentation for the scopes required to access them. Attempting to use a scope that is not included in your plan will result in a 400 invalid_scope error.
The request is authenticated using basic authentication with the client_id and client_secret corresponding to a username and password respectively.
{
"access_token": "b15ec944b77e2c7a92703bd969b3be92",
"expires_in": 3600,
"token_type": "Bearer"
}
The access_token should be cached for the duration specified the expires_in field. Rate Limits are applied.