Skip to main content

Application-Only Authentication Flow

Applications can use the client credentials grant type of the OAuth2 specification to get an access token that will provide access to public, non-user-specific data (events, listings, etc).

1. Create a Basic Authorization header

  • URL encode your application's client id and client secret according to RFC 1738
  • Concatenate the encoded client id, a colon character “:” and the encoded consumer secret into a single string
  • Base64 encode the string from the previous step

2. Obtain an access token

  • The value calculated in Step 1 must be exchanged for an access token:

Request

curl -X POST "https://account.stubhub.com/oauth2/token"
-u "clientId:clientSecret" --basic
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=client_credentials"
-d "scope=read:events"

Headers

NameValue
AuthorizationBasic {value from step 1}
Content-Typeapplication/x-www-form-urlencoded

Parameters

NameTypeDescription
grant_typestringRequired. Value should be client_credentials
scopestringSpace-delimited string of the scopes you would like.

Response

{
"access_token": "pYXQiOjE0MjI1MzY0NjEsInNjb3BlIjo",
"token_type": "bearer",
"expires_in": 86400,
"scope": "read:events"
}