Authorization Token

Overview

In order to sync resources into Vanta, you will first need to authenticate to the API by obtaining an application specific token.

To obtain the access token, an API request using the private client id and private secret id needs to be made, and if successful the response will contain an access token to be used in subsequent requests to sync or retrieve resources.

📘

The access token is only valid for 1 hour (3600 seconds), meaning a new token should be requested once the current one expires.

🚧

Your access token is sensitive and could be used to access or send data for your application. Keep this stored safely and do not share it with anyone you don’t trust!

Example

Request

Request TypePOST
URLhttps://api.vanta.com/oauth/token
HeaderN/A
ParametersContent-Type: application/json
BodyJSON Object containing client_id, client_secret, scope and grant_type as follows:
{
"client_id": "{{private_client_id}}",
"client_secret": "{{private_secret}}",
"scope": "connectors.self:write-resource connectors.self:read-resource",
"grant_type": "client_credentials"
}

Body parameters

  • client_id: The OAuth client id that was generated when you created your application.

Add this value into the {{client_id}} variable initial and current values and save your environment..

  • client_secret: The OAuth client secret that was generated when you created your application.

Add this value into the {{secret}} variable initial and current values and save your environment.

  • scope: String value of:
    • “connectors.self:read-resource” (enables the token you generate the permission to retrieve resources from Vanta).
    • “connectors.self:write-resource” (enables the token you generate the permission to sync resource data into Vanta).
    • Both of the above, separated by a space.
  • grant_type: Fixed String value “client_credentials”

Response

Response Code200
HeadersIgnore
BodyJSON Object containing your access token as follows:
{
"access_token":{{token}},
"expires_in":3599,
"token_type":"Bearer"
}

Body Parameters

  • access_token will be used in the authentication header of all subsequent requests to the Vanta API endpoints that retrieve or sync resource data.
  • access_token will automatically be stored in the {{token}} variable.
  • expires_in will be set to 3599 seconds (one hour) which defines the duration the token will be active for.
  • token_type will always be “Bearer”.

📘

Use the “access_token” in all subsequent requests to the Vanta API endpoints that retrieve or sync resource data. The token will be passed in the Header of the requests as a Bearer.

❗️

Unauthorized HTTP 401 response codes are caused by an invalid or expired tokens. Use the step above to request a new access token when that occurs. You should also confirm your “client_id” and “client_secret” are accurate.

🚧

Any other response code means the request was not processed correctly by Vanta and therefore no access token has been generated. Check your client and secret ids, the format of the request, and re attempt this step until you receive the successful response shown above.

👍

Ready! Go ahead to start sending resources!