Obtaining Access Token with Postman | Sage Active Developer

An example of the calls made by Postman to get the access token

As an example, here are the requests that Postman calls when you request a Token via the Request Token button as described in: Quick start / 5. Test your first query in Postman.

Via the Postman console, you can find the following calls:

GET

A first GET call is made with the following parameters:

/connect/authorize
&response_type=code
&state={A value of your choice}
&client_id={your client ID}
&scope=RDSA%20WDSA
&redirect_uri={your redirect URL}

If the call is successful, an HTTP 302 Found response code is returned to Postman and the response returns a header field (Response Headers) named location containing:

the redirect url sent in the GET by Postman,
an authorization code assigned by the authentication server,
the state value sent in the GET by Postman.

Response Headers

location: "{redirect url}?code={authorization code}&state={state value}"

POST

Postman then makes a POST call to get the Token:

/connect/token
grant_type=authorization_code
&code={the authorization code returned in response to the GET request}
&redirect_uri={your redirect url}
&client_id={your Client ID}
&client_secret={Your Client Secret}

And here is an example of a response retrieved by Postman with in particular the access token (wrong for example), the update token, the scopes, the validity period:

{"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjlENjA0NjRCRkU5REM3MTBGRjYxOEVDNjhGMTFFMjMwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3NiY2F1dGhpZHNlcnZlci5henVyZXdlYnNpdGVzLm5ldC8iLCJuYmYiOjE2NDM4OTc5NTcsImlhdCI6MTY0Mzg5Nzk1NywiZXhwIjoxNjQzODk4MjU3LCJhdWQiOiI2ZjE3NW44YW5hM1E1U0xYTWFkMmJsMzE2RnliMWJkZSIsImFtciI6WyJleHRlcm5hbCJdLCJhdF9oYXNoIjoiWDhiQndCLXZfUTUzRmNoVDZsaWZBQSIsInN1YiI6ImF1dGgwfDMyOTkwZDIyN2YyMjhhYTVjMmJiNDYzMGFjNDQ4OGEwOGFkMzJhMzA3YTg5NmI0NCIsImF1dGhfdGltZSI6MTY0Mzg3NTkxNywiaWRwIjoiU2JjQXV0aCJ9.RuDUg8tIshRGjEpASXQ2_1wnFGNPtLrqh0mF9vYV23hpgCdIqqcgk5ZKHzFhFqanin6aD48RKU8cmjbH_Vh6mZXRwvlXE6gawTlsizRvxfI6XNzoqwBR5vDhUjB67btqYrpjdVSsKiANOGWSJHDT2OeLPsumM6lL-_x1yka58dE_JYIv87WI6dHCWOFgcIjhsZoH5ZSVYR1jnUd5RVAFCd9ZNhU2fpxchL36EbN1yvGELYTaWpYh1aTmHtX-LCnjGTWEmDbnibX1PSxUw0mo4CnFOgtdT0iU8QM2cKX1uwFGRx-nBEn20Z_NJnoTGhfocTLCliCcy1z_eeXlMU5Z3A","access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjlENjA0NjRCRkU5REM3MTBGRjYxOEVDNjhGMTFFMjMwIiwidHlwIjoiYXQrand0In0.eyJpc3MiOiJodHRwczovL3NiY2F1dGhpZHNlcnZlci5henVyZXdlYnNpdGVzLm5ldC8iLCJuYmYiOjE2NDM4OTc5NTYsImlhdCI6MTY0Mzg5Nzk1NiwiZXhwIjoxNjQzOTAxNTU2LCJhdWQiOiJTQkNDIiwic2NvcGUiOlsib3BlbmlkIiwiTERDIiwiRURDIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl0sImNsaWVudF9pZCI6IjZmMTc1bjhhbmEzUTVTTFhNYWQyYmwzMTZGeWIxYmRlIiwic3ViIjoiYXV0aDB8MzI5OTBkMjI3ZjIyOGFhNWMyYmI0NjMwYWM0NDg4YTA4YWQzMmEzMDdhODk2YjQ0IiwiYXV0aF90aW1lIjoxNjQzODc1OTE3LCJpZHAiOiJTYmNBdXRoIiwiU2JjQXVkIjoiU0JDQyIsIlNiY0lTRSI6IjNmY2NiNTcxLTlmOWQtNDhjZS04NTY4LTdmNmYwNjUxMGIzZSIsIlNiY0FwcCI6IjYxOTBhODZjLTZkZTgtNDVlYy1hYjdhLThlNjEwYWI5YjBmOSIsIlNiY0NudCI6Im9XWVFJQ0YxbUJlZ2xOaW9reFFoZXU1bGhWWUxsVjZucVl1K05oM251TzA9IiwianRpIjoiOUQ2QTkyRkEyNUZCNkU0MEQyODdDRjZGRjBBMzQ2NDUifQ.rxopPRDm9SvrwNLnKTrFXh19o-dJF60umnzeqD4jB0fnZx4e9ewpa-ihbRtMYZg2aWV4jHD5GUARliX8g895xKpFfxY-7YvzZ7oy5B4M4LVKh27qBMDIvaoUbOFXn_RnE6Owl_WChvYLeBvH64_YzsJ-kJlIbP95AgKcB6Kwt0aP7PJHfADnuSSdBVqmvi2g2Jcz5yXe9OyVxF7et-XzoI60iraZJjImvSY0HyA-3Ol5OEm7cdTC3YunSuheU5TefkCQ_N7GE_ZLqvTHMO57h7XmWRMgiTnEQxs1hnX6EsQj0XWWJE1D8dH11yLWQLh43FeG5eN7EhcZI9IOoLnm7Q","expires_in":3600,"token_type":"Bearer","refresh_token":"45137F887FC65B75597FEE6930D25E848DBD0736FD6512C1312054AB4F55ABF1-1","scope":"openid LDC EDC offline_access"}

Use of the token during calls to Sage Active Public API V2

Once the access token has been obtained, for each call to Sage Active Public API V2, Postman will add the token to the request header in the form:

Authorization: Bearer {Access Token}

In the example of the token retrieved previously (fictitious token for example), Postman will add:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjlENjA0NjRCRkU5REM3MTBGRjYxOEVDNjhGMTFFMjMwIiwidHlwIjoiYXQrand0In0.eyJpc3MiOiJodHRwczovL3NiY2F1dGhpZHNlcnZlci5henVyZXdlYnNpdGVzLm5ldC8iLCJuYmYiOjE2NDM4OTc5NTYsImlhdCI6MTY0Mzg5Nzk1NiwiZXhwIjoxNjQzOxxxxxxxxxxxxxxiJTQkNDIiwic2NvcGUiOlsib3BlbmlkIiwiTERDIiwiRURDIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl0sImNsaWVudF9pZCI6IjZmMTc1bjhhbmEzUTVTTFhNYWQyYmwzMTZGeWIxYmRlIiwic3ViIjoiYXV0aDB8MzI5OTBkMjI3ZjIyOGFhNWMyYmI0NjMwYWM0NDg4YTA4YWQzMmEzMDdhODk2YjQ0IiwiYXV0aF90aW1lIjoxNjQzODc1OTE3LCJpZHAiOiJTYmNBdXRoIiwiU2JjQXVkIjoiU0JDQyIsIlNiY0lTRSI6IjNmY2NiNTcxLTlmOWQtNDhjZS04NTY4LTdmNmYwNjUxMGIzZSIsIlNiY0FwcCI6IjYxOTBhODZjLTZkZTgtNDVlYy1hYjdhLThlNjEwYWI5YjBmOSIsIlNiY0NudCI6Im9XWVFJQ0YxbUJlZ2xOaW9reFFoZXU1bGhWWUxsVjxxxxxxxx

< 3. Oauth 2.0 Principles (Single Page App)5. Authentication with OpenID Connect (web server app) >