Cyclr API authentication is provided using OAuth2.

OAuth access tokens are granted to either manage the partner level, or access and modify a partner account.

Get access token

To get an access token from Cyclr you call the “/token” endpoint with different details, depending on where you wish to work.

To receive a Partner access token Provide the email address and password you use to access your Cyclr Partner Console.

To receive an Account access token Provide the username and password of an account user.


Partner access token

POST https://yourCyclrInstance/oauth/token
Content-Type: application/x-www-form-urlencoded


Account access token

POST https://yourCyclrInstance/oauth/token
Content-Type: application/x-www-form-urlencoded

  • yourCyclrInstance – your Cyclr instance URL. This could be one of the following: if your Cyclr account is hosted on our US instance; if it’s on our UK instance; your own domain if your Cyclr instance is self-hosted.
  • client_id – the client ID of the Partner. This can be found in the Cyclr Console.
  • client_secret
    (Optional) the ID of the account this token is for
  • grant_type – the Cyclr Partner API only supports the password grant_type
  • username – the username of the authenticating user
  • password – the password of the user


    "access_token": "************",
    "token_type": "bearer",
    "expires_in": 1209599,
    "refresh_token": "************",
    "userName": "************",
    "clientId": "************",
    ".issued": "Thu, 24 Nov 2016 16:32:59 GMT",
    ".expires": "Thu, 08 Dec 2016 16:32:59 GMT"
  • access_token – the token to use when making requests to the Cyclr API
  • expires_in – the amount of time in seconds until access_token will expire
  • refresh_token – the token that can be used to generate a new access token without needing to provide username and
    password details. See Refresh access token below.

Refresh access token

To obtain a new access token - before or after it has expired - you call the OAuth “/token” endpoint with a grant_type of refresh_token and pass the refresh token that was included with the current access token. Once used, the old access and refresh tokens will no longer be valid.

POST https://yourCyclrInstance/oauth/token
Content-Type: application/x-www-form-urlencoded


Refresh tokens from Cyclr’s API don’t expire so you can keep them until you need to obtain a new access token.

Calling an API method

To authenticate your requests you need to include the access token in the Authorization HTTP header.

Authorization: Bearer {AccessToken}

View Cyclr’s API Endpoints

Tags: embedding
Edit me