Introduction to OAuth2

For the security of our products (Unifeed, Webservices), we use the open standard OAuth2. The OAuth2 standard is a widely accepted standard that is used by many software parties and has an abundance of libraries available. With the OAuth2 autorisation protocol, it is possible for third-party applications to acquire limited access to our http services. To access these services, the application needs client-credentials (client_id/client_secret). To gain access to the data, the user additionally needs to be identified by his/her username and password. More complete information about the OAuth2 specification can be found here: OAuth2 website

2BA supports 2 authorization flows from the OAuth spec. These flows are: “Resource Owner Password Credentials Grant” and “Authorization Code“. 


  • Choose one of the supported flows. Choose the flow that best matches your situation.
  • Use these flows to retrieve the Access Token / Refresh Token one time.
  • Refresh the Access Token, if expired, by utilising the Refresh Token.
  • Invoke the desired JSON or SOAP service or Unifeed and provide the Access Token.

Resource Owner Password Credentials Grant

This flow can be used when there is a trusted relation between the application and the end user. The end user enters his/her username and password in the application. This flow can be used, for example, when the application is installed on the end user’s computer.

More details and example code can be found here: Resource Owner Password Credentials Grant.

Authorization Code

This flow can be used when there is no trusted relation between the application and the end user, for example, when the application resides on the internet. The user will, in that case, NOT enter their 2BA credentials in a third-party application. The application can use this flow to redirect the user to the 2BA website, where the user will enter his/her credentials and 2BA will return an autorization code to the third-party application.

More details and example code can be found hereAuthorization Code


Authorization URL
Access token URL
Client ID(as received from 2BA)
Client secret(as received from 2BA)
Preferred grand typeAuthorization Code
 see also:

OAuth token


This service is used to get an Access Token / Refresh Token. You can use the new Access Token to access the webservices.

Don’t forget to replace your old Refresh Token with the new one! Refresh Tokens also time out once. When you issue an invalid Request Token, this service will respond with a “bad request” (http statuscode 400) result. In this case the user has to login again to aquire a new Refresh Token.

More details and example code can be found here: Refresh Acces Token

See our introduction to OAuth2 here.

This is a POST request!

Resource URL
possible options are “password”, “refresh_token”, “authorization_code” 


Example value: password

Login name for the end-user (resource owner). Required when grant_type=password 


Example value:

Password that comes with the previous username. Required when grant_type=password 


Example value: myPassword

Authorization code received from the authorization server. Required when grant_type=authorization_code


Example value: sdfsdfsGEasd

Refresh token received within a previous request. Required when grant_type=refresh_token 


Example value: tGzv3JOkF0XG5Qx2TIKWIA

String that identifies the client application. Required when grant_type=password|refresh_token 


Example value: myApplication

Secret string that comes with the client_id. Required when grant_type=password|refresh_token 


Example value: myApplicationSecret

Redirect Uri. Required when redirect_uri was included in the Authorization request for Authorization Code Grant, and the redirect_uri has to be the same! 


Example value: 

Only available for JSON format. If supplied, the response will use the JSONP format with a callback of the given name.


Example value:

Response Object
access_tokenstringString which should be send with each service request.


Example value: gAAAGw231OZXwzMiH_wV…..

token_typestringType of the Access Token.


Example value: bearer

expires_inintegerExpiry time of the Acces Token in seconds.


Example value: 120

refresh_tokenstringThis token can be used to obtain a new Access Token.


Example value: LwfI!IAAAAFLDVUewBJ04M3z8SutDTR…

Example Request
Request URL:
 Request Method:POST
 Content-Type: application/x-www-form-urlencoded
 '''''Form Data'''''

Request URL:
Request Method:POST
 Content-Type: application/x-www-form-urlencoded
 '''''Form Data'''''
Example Response
Wat biedt 2BA voor u als Installateur Wat biedt 2BA voor u als Groothandel Wat biedt 2BA voor u als Fabrikant Wat biedt 2BA voor u als Software Partner
This site is registered on as a development site.