API Reference
Start typing to search…

Access Token

Formstack Sign API provides two methods for obtaining an access token, based on the client type and specific use case:

  • Authorization Code Flow - Involves multiple steps where the user authenticates with the authorization server, and the client exchanges an authorization code for an access token, keeping credentials secure.
  • Username and Password Flow (Resource Owner Password Credentials Grant) - The client directly receives the user's username and password to request an access token, making it simpler but less secure since credentials are exposed to the client.

Obtaining an Access Token with Authorization Code

Endpoints used by integrators to exchange an Authorization Code issued by the Authorization Code request for an Access Token which will be used by all subsequent InsureSign API calls.

URL

POST https://sign-auth.insuresign.io/oauth2/token

Headers

NameValueDescription
Content-Typeapplication/x-www-form-urlencoded
AuthorizationInsureSign Integration credentials.Base64 encoded string of client_id:client_secret

Request Fields

PathTypeOptionalDescription
grant_typeStringfalseValue of authorization_code as required by the OAuth2 standard for token exchange.
client_idStringfalseYour InsureSign issued integration client_id.
redirect_uriStringfalseYour callback_url as specified in the original Get Authorization Code request.
codeStringfalseThe authorization_code issued by the Get Authorization Code request.

Response Fields

PathTypeDescription
access_tokenStringThe OAuth access token issued by the token exchange request. This will be used as Authorization credentials on all subsequent InsureSign API calls.
refresh_tokenStringThe OAuth refresh token which can be used to reset the time to live for the access token.
expires_inLongTime in seconds that the issued access token will be valid.
token_typeStringDefines the type of access token that was granted by the token exchange.

Example Request

$ curl 'https://sign-auth.insuresign.io/oauth2/token' -i -X POST \
    -H 'Authorization: Basic YourEncodedClientIdAndSecret' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'grant_type=authorization_code&client_id=myclientid&redirect_uri=https%3A//048085cd.ngrok.io/auth&code=df90c9f7-680d-4843-996c-70b76f36e56b'

Example Response

HTTP/1.1 200 OK
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Expires: 0
X-Frame-Options: DENY
Content-Length: 625
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Cache-Control: no-cache, no-store, max-age=0, must-revalidate

{
  "access_token": "your access token",
  "refresh_token": "your refresh token",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Obtaining an Access Token with Username and Password

Used for integrations configured with the Client Credentials OAuth2 Flow to authenticate. This will return a client access token which will be used to submit with all subsequent requests, providing your authorization to carry out the request.

URL

POST https://sign-auth.insuresign.io/oauth2/token

Headers

NameValueDescription
Content-Typeapplication/x-www-form-urlencoded
AuthorizationInsureSign Integration credentials.Base64 encoded string of client_id:client_secret

Request Fields

PathTypeOptionalDescription
grant_typeStringfalseValue of client_credentials as required by the OAuth2 standard for Client Credential authentication.
client_idStringfalseYour InsureSign issued integration client_id.

Response Fields

PathTypeDescription
access_tokenStringThe OAuth access token issued by the token request. This will be used as Authorization credentials on all subsequent InsureSign API calls.
expires_inLongTime in seconds that the issued access token will be valid.
token_typeStringDefines the type of access token that was granted by the token exchange.

📘

Legacy API Endpoint

For any API Credentials issued prior to January 15th, 2021, use the following url:
https://auth.insuresign.io/