2 Legged Authorization
Basic Steps
All client applications, both Sandbox and Production, follow a basic pattern when making requests to a DigiKey API with the OAuth 2.0 framework.
At a high level, there are three steps:
Register an Application
When you register an application, it will be provisioned an OAuth2 client ID and client secret. Copy and secure this information for your client application.
Get an access token
Get an access token by sending the client id, client secret, and grant type to the authorization server’s token endpoint. You will receive an access token.
Send the access token to an API
By passing the access token with a request header, the client application can now make requests to the DK API it is subscribed to. When the access token expires, a new request must be made.
Sandbox Application
Contained below is the necessary information to complete the 2 legged OAuth process for Sandbox Applications. Before continuing, please confirm that a client application is registered, its client id and client secret are stored and secured, and its subscribed to a Sandbox API Product.
Getting the Access Token
| Sandbox Access Token Endpoint | Description |
|---|---|
| https://sandbox-api.digikey.com/v1/oauth2/token | This endpoint is the target of the request. The result of requests to this endpoint is the access token. |
The request for an access token is an HTTPS POST request and must include the following x-www-form-urlencoded data:
| Parameter | Description |
|---|---|
| client_id | This is the client id assigned to the application that you generated within the API Portal. |
| client_secret | This is the client secret assigned to the application that you generated within the API Portal. |
| grant_type | As defined in the OAuth 2.0 specification, this field must contain the value client_credentials. |
An example of an access token POST request (this is not query parameter):
POST /v1/oauth2/token HTTP/1.1
Host: sandbox-api.digikey.com
Content-Type: application/x-www-form-urlencoded
code=lboI52TG& client_id=application_client_id&
client_secret=application_client_secret& grant_type= client_credentials
A successful response to this request contains the following fields:
| Field | Description |
|---|---|
| access_token | The token sent to access a Digi-Key API. |
| expires_in | The remaining lifetime of the access token, in seconds. |
| token_type | The token type being returned. |
A successful response is returned as a JSON object.
Example response to a successful access token request:
{ "access_token": "SLKDosk89/DOSID-frt3234SLsofds"
"expires_in": 599, "token_type": "BearerToken", }
Note: Other fields may be included in the response, and your application should not treat this as an error. The set shown above is the minimum set.
Production Application
Contained below is the necessary information to complete the OAuth process for Production Applications. Before continuing please confirm that a client application is registered, its client id and client secret are stored and secured, and its subscribed to a Production API Product.
Getting the Access Token
The URL used to get your token is:
| Production Access Token Endpoint | Description |
|---|---|
| https://api.digikey.com/v1/oauth2/token | This endpoint is the target of the request. The result of requests to this endpoint is the access token |
The request for an access token is an HTTPS POST request and must include the following x-www-form-urlencoded data:
| Field | Description |
|---|---|
| client_id | The client id assigned to the registered application. |
| client_secret | The client secret assigned to the registered application. |
| grant_type | As defined in the OAuth 2.0 specification, this field must contain the value client_credentials |
An example of an access token POST request (this is not query parameter):
POST /v1/oauth2/token HTTP/1.1
Host: api.digikey.com
Content-Type: application/x-www-form-urlencoded
code=lboI52TG& client_id={application_client_id}&
client_secret={application_client_secret}& grant_type=client_credentials | Field | Description |
|---|---|
| access_token | The token sent to access a DigiKey API. |
| expires_in | The remaining lifetime of the access token, in seconds. |
| token_type | The token type being returned. |
A successful response to this request contains these fields:
A successful response is returned as a JSON object.
Example response to a successful access token request:
{ "access_token": "SLKDosk89/DOSID-frt3234SLsofds",
"expires_in": 599, "token_type": "Bearer", } Note: Other fields may be included in the response, and your application should not treat this as an error. The set shown above is the minimum set.
Token Expiration Time
| Type | Expires in |
|---|---|
| Access Token | 10 minutes |
Making an API Call
With OAuth completed the application can send a request.
Developer application example request (Sandbox)
Example request to ProductSearch using developer credentials and endpoint (sandbox-api.digikey.com) :
GET /products/v4/search/P5555-ND/productdetails HTTP/1.1
Host: sandbox-api.digikey.com
X-DIGIKEY-Client-Id: WugAd2A6Lxy3Eu3Mgvov45KUNoguMoUl
Authorization: Bearer StgGLw9b3hkwqlWAGBmdYoBNEokm
X-DIGIKEY-Locale-Site: US
X-DIGIKEY-Locale-Language: en
X-DIGIKEY-Locale-Currency: USD
X-DIGIKEY-Customer-Id: 0
Organization application example request (Production)
Example request to ProductSearch using organization credentials and endpoint (api.digikey.com):
GET /products/v4/search/P5555-ND/productdetailsHTTP/1.1
Host: api.digikey.com
X-DIGIKEY-Client-Id: heWGx9w6DK8kZf3jRv5E9jUAhXrGBU67
Authorization: Bearer s4T5DbmFZadjNRAEbUnN9zkU3DBj
X-DIGIKEY-Locale-Site: US
X-DIGIKEY-Locale-Language: en
X-DIGIKEY-Locale-Currency: USD
X-DIGIKEY-Customer-Id: 0
The Value of the Authorization header is prefixed with "Bearer"
e.g.: "Authorization": "Bearer xGr69sdAjLmnAHwGF4R1HedfDHl3j"
The value "Bearer" must be sent with the BearerToken or else you will get a Bearer token error.
"Authorization":"Bearer <BearerToken>"