It is highly recommended to first view the documentation detailing OAuth on our Security page before starting this walkthough.

To begin the process, you need MyDigi-Key login credentials. If you do not have a login, you can register here:

Step one

Open a new browser and copy and paste the following link and customize it with the client ID from the App creation process and your App Redirect URI.

Replace {YourAppClientIDHere} with your actual client IDReplace {YourAppRedirectURIHere} with your redirect URI you placed in your app


To find your Client ID and Client Secret, navigate to your Apps and click on the app you want to authorize.

Step two

When prompted, you must enter your MyDigi-Key credentials and click "Allow" on the Request for Approval.

Step three

In this example, https://localhost is being used as the redirectURL. Copy the OAuth authorization code from the URL. If you used a redirectURL that points to a webservice you own that listens for a code then you may obtain your code differently. Save the code in a separate document. **This code will expire within thirty minutes.** This is not your token, you must use this code in the next step.

Step four

The token endpoint requires an HTTP POST request.

Create a POST request to

In order to make the request for your token you will need to use a developer tool (SoapUI, RestClient, Postman to name a few) to create the POST request manually.

It will need to contain the following information:

Method: POST


Headers: Content-Type: application/x-www-form-urlencoded

Body: grant_type=authorization_code&code={authorizationCode}&client_id={clientId}&client_secret={clientSecret}&redirect_uri={redirectURI}

This request will return a JSON object containing your token, a refresh token, and the time untill expiration. You may use your token to make API calls now. You may also use the refresh token in a similar POST request to obtain a new set of tokens near your expiration time. By coding a system to automatically use your refresh tokens you will not need to manually go through security steps again. More details on the refresh request can be found on our Security page.