Getting an Access Token

This guide covers three OAuth 2.0 grant types: Authorization Code Grant, Password Grant, and Personal Access Tokens.


This guide walks you through the steps of obtaining an access token for making restful api calls to ProcessMaker. You will be able to obtain an access token and then consume the api. After you complete this document, you will want to go to the Getting a Refresh Token.

Don't forget to replace placeholders like <your-instance>, <your-client-id>, etc., with your actual values. Always protect your client secret, access tokens, personal access tokens, and user credentials.

Client Application

Choose Your Tutorial

Step 1: Install Necessary Python Libraries

Before starting, ensure you have the necessary Python libraries installed. You'll need requests for making HTTP requests and oauthlib for handling OAuth.

Install them via pip:

pip install requests oauthlib

Step 2: Set Up Your Client Application

If you came here before creating your client application, you first need to do so. Otherwise, go to step 3 if you have your client id and client secret already.

Step 3: Use the Correct Grant Type

Authorization Code

This is used by web and mobile applications which involves the following:

  • Redirect the user to the authorization server (ProcessMaker).

  • The user accepts the application.

  • The application exchanges an authorization code for an access token.

import requests
from oauthlib.oauth2 import WebApplicationClient

# Initialize the OAuth client
client = WebApplicationClient(client_id='<your-client-id>')

# Generate the authorization URL
auth_url, _ = client.prepare_request_uri(

print(f'Please go to the following URL and authorize the app: {auth_url}')

# After the user has authorized the app, they will be redirected to the redirect URI
# with a code in the query string. Paste that code here.
code = input('Enter the authorization code: ')

# Exchange the authorization code for an access token
token_url = 'https://<your-instance>'
token_data = client.prepare_request_body(

response =, data=token_data)
token_info = response.json()

print(f'Access token: {token_info["access_token"]}')


This is used by applications that are highly trusted, like those installed on a personal device by the user. This involves the client application collecting the user's username and password and exchanging them directly for an access token.

import requests
from oauthlib.oauth2 import LegacyApplicationClient

# Initialize the OAuth client
client = LegacyApplicationClient(client_id='<your-client-id>')

# Prepare the request body for the token request
token_url = 'https://<your-instance>'
token_data = client.prepare_request_body(

# Request an access token
response =, data=token_data)
token_info = response.json()

print(f'Access token: {token_info["access_token"]}')

Personal Access Tokens

A Personal Access Token (PAT) is an alternative to using a password for authentication to the API. The PAT is usually generated in the application's user interface and can be revoked at any time.

import requests

# Prepare the headers for the request
headers = {
    'Authorization': f'Bearer <your-personal-access-token>',

# Make a request to the API
response = requests.get('https://<your-instance><your-endpoint>', headers=headers)


Step 4: Making API Requests

After you have your access token, you can use it to make authenticated requests to the API. Here's an example of how to do this:

import requests

# Prepare the headers for the request
headers = {
    'Authorization': f'Bearer <your-access-token>',

# Make a request to the API
response = requests.get('https://<your-instance><your-endpoint>', headers=headers)


Replace <your-instance>, <your-access-token>, and <your-endpoint> with your actual values.

Remember: Always protect your client secret, access tokens, personal access tokens, and user credentials. These allow access to the API and should be treated like passwords.

That's it! You now have an access token that you can use to make authenticated requests to the API. Depending on the grant type used and the settings of the OAuth server, this token may expire after some time. If the token does expire, you will need to go through the flow again to get a new token.

Last updated


© 2024 ProcessMaker, Inc. All Rights Reserved. Except as otherwise permitted by ProcessMaker, this publication, or parts thereof, may not be reproduced in any form, by any method, for any purpose.