NOTE: Some aspects of this product are in Beta. The hybrid installation options are GA. To join the Beta program, reach out to your Apigee representative.

Obtaining client credentials

This topic discusses obtaining client credentials (also called developer keys) for use in the OAuth 2.0 authorization flow.

What are client credentials?

To participate in any OAuth 2.0 authorization flow, all client apps must be registered with Apigee (the authorization server). When you register your app, you will be assigned two credentials: a Key and a Secret. The Key is a public key and Secret must never be made public. These credential keys allow Apigee to uniquely identify the client app.

Getting the key and secret from the Apigee UI

See Viewing an API key and secret.

Getting the key and secret with Apigee APIs

Use an API to get the list of apps in your organization:

curl "https://apigee.googleapis.com/v1/organizations/$ORG/apps" \
  -H "Authorization: Bearer $TOKEN"

Where $TOKEN is set to your OAuth 2.0 access token, as described in Obtaining an OAuth 2.0 access token. For information about the curl options used in this example, see Using curl. For a description of the environment variables used, see Setting environment variables for Apigee API requests.

This call returns a list of apps by app ID.

[ "da496fae-2a04-4a5c-b2d0-709278a6f9db", "50e3e831-175b-4a05-8fb6-05a54701af6e" ]

To retrieve an app's profile:

curl "https://apigee.googleapis.com/v1/organizations/$ORG/apps/$APP" \
   -H "Authorization: Bearer $TOKEN"

Where $TOKEN is set to your OAuth 2.0 access token, as described in Obtaining an OAuth 2.0 access token. For information about the curl options used in this example, see Using curl. For a description of the environment variables used, see Setting environment variables for Apigee API requests.

For example:

$ curl https://apigee.googleapis.com/v1/o/organizations/myorg/apps/da496fae-2a04-4a5c-b2d0-709278a6f9db \
  -H "Authorization: Bearer $TOKEN"

The API returns the profile of the app you specified. For example, an app profile for weatherapp has the following JSON representation:

{
  "accessType" : "read",
  "apiProducts" : [ ],
  "appFamily" : "default",
  "appId" : "da496fae-2a04-4a5c-b2d0-70928a6f9db",
  "attributes" : [ ],
  "callbackUrl" : "http://weatherapp.com",
  "createdAt" : 1380290158713,
  "createdBy" : "noreply_admin@apigee.com",
  "credentials" : [ {
    "apiProducts" : [ {
      "apiproduct" : "PremiumWeatherAPI",
      "status" : "approved"
    } ],
    "attributes" : [ ],
    "consumerKey" : "bBGAQrXgivA9lKu7NMPyYpVKNhGar6K",
    "consumerSecret" : "hAr4Gn0gA9vyvI4",
    "expiresAt" : -1,
    "issuedAt" : 1380290161417,
    "scopes" : [ ],
    "status" : "approved"
  } ],
  "developerId" : "5w95xGkpnjzDBT4",
  "lastModifiedAt" : 1380290158713,
  "lastModifiedBy" : "noreply_admin@apigee.com",
  "name" : "weatherapp",
  "scopes" : [ ],
  "status" : "approved"
}

Note the values for consumerKey and consumerSecret.