• Get Started
  • Documentation
  • Samples
  • Blog
  • Pricing

    • Authorize a Web Application

    Introduction

    When developing web applications using a server-side framework, use the following procedures to set up your authorization. This tutorial is based on the OAuth workflow, diagram, and steps described in the web app authorization documentation.

    Register your application

    The first step for authorizing your web app is to register your application.

    1. If you have not created an application, open the My Apps page under your Profile menu, and click the Register New button. In this case, the application type is Web App.
    2. For this tutorial, add the redirect URI, https://developer.bentley.com/redirect-tutorial, during app registration, or on the App Details for a previously registered application. If you are testing locally or on a deployed app, you will use the redirect URI of your application.
    3. Make sure to save the client_id and the client_secret supplied when you create your application.

    IMPORTANT

    Keep your client credentials, i.e., client ID, client secret, and access tokens, secure. Do not include them in publicly accessible code where they could be discovered. Instead, store them safely on a backend server.

    Obtain an access token

    Once you have your app registered, you can obtain an access token by following these steps:

    1. Redirect the user to the authorization endpoint.

      https://qa-ims.bentley.com/connect/authorize

    Below is an example request along with required parameters. You can obtain the client_id and redirect_uri from your app registration on My Apps.

    Redirect

    1. Allow user to login and give consent to the application for calling APIs on their behalf.

      User interface for facing Bentley authorization server

    2. Once authenticated, extract the code in the response from the redirect_uri that authorization server is configured to use.

      https://example-rediect-uri/?code=<code>

      Note

      Authorization codes are time-sensitive. If your code expires, send a new request to the authorization server for a new code.

    3. Send a request to the token endpoint to exchange the authorization code for an access token.

    POST
    https://qa-ims.bentley.com/connect/token

    Your app's client_secret is one of the required parameters. If you didn't already save your client_secret, generate a new one from your app registration on My Apps.

    1. Your application can now use the access token returned by the token endpoint to access APIs on behalf of the user.

    Request a new access token with a refresh token

    When your access token is close to the expiry time, you can request a new one using the refresh token provided in the original request. The response contains a new token and a new refresh token.

    POST
    https://qa-ims.bentley.com/connect/token

    Use your token

    If you received a 200 OK response to your token request, you have successfully obtained a token. You can use this token to call various iTwin Platform APIs. You can try making an API call to users/me endpoint to test your token. On success, this request returns the profile information for the user account associated with the token received.

    Remember, the iTwin Platform Base URI is api.bentley.com.

    More resources that you may like

    Access Control
    Manage Access Controls for your iTwin member using iTwin roles and permissions.