AT&T Developer
  • Sign In
  • Get Free Access

OAuth 2.0 API

  • Documentation
  • Introduction
  • Considerations
  • Provisioning
  • Resources
    • Get Access Token
    • Get User Authorization
    • ERROR HERE: check console.

Introduction

 

The OAuth 2.0 Authentication Management API provides a safe and secure way for AT&T Wireless customers to access the AT&T Wireless network through a third-party app without the risk of compromising security.

This API ensures that secure, sensitive, and private AT&T Wireless customer-related details are not exposed to the third-party app. This API is based on an open framework recognized as providing a strong protection for users and apps.

This API provides you with a security model that enables you to obtain an OAuth authorization code and an OAuth access token. This API enables third-party apps to access the private resources of the customer without requiring the customer to provide credentials to the third-party app, such as a user name and password. By acquiring an OAuth authorization code, a customer authorizes an app to access a protected resource on behalf of the customer. The receipt of an OAuth access token enables an app to access a protected resource on behalf of a customer via the AT&T Wireless network.

Considerations

 

The RESTful OAuth 2.0 Authentication Management API provided by AT&T has the following considerations for you to keep in mind.

  • The OAuth 2.0 Authentication Management API is the source of OAuth access tokens for use with all of the APIs provided by AT&T.
  • You should specify an API scope in your request for all of the APIs that are included in your app account.
  • The current implementation of this API sets the default value for the expires_in parameter to 172800 seconds, which signifies that the time-to-live for the OAuth access token is 2 days. The time-to-live for the OAuth refresh token is set to 7776000 seconds, which signifies that the time-to-live for the OAuth refresh token is 90 days.

Note: The actual time-to-live value may be different, so you should always check the value in the parameterexpires_in parameter.

  • The current implementation of this API implements a Remember Me feature, which simplifies the process of granting consent by remembering the customer after the initial authorization. The Remember Me feature is enabled by default.

Provisioning

 

The RESTful OAuth 2.0 Authentication Management API provided by AT&T requires that you provision your app as follows.

You must register an app account on the AT&T Developer Program website in order to utilize this API.

 

Resources

Get Access Token

 

The Get Access Token method obtains an OAuth access token which must be presented by the authorized app to make subsequent RESTful API requests to the API Gateway.

The OAuth access token is able to be obtained using any of the following workflows.

Your app must provide the App Key and App Secret that are specified in your app account in order to obtain an OAuth access token from the API Gateway.

  • Using the OAuth Authorization Code

    This mechanism is used for an app that makes requests to APIs that require consent from the user.

    You must send a Get User Authorization method request for an OAuth authorization code prior to requesting an OAuth access token.

    The OAuth authorization code signifies the successful completion of an user consent authentication and must be exchanged for an OAuth access token.

    This is the default configuration of the API Gateway for the following APIs.

    • Address Book API (AAB)
    • Device Capabilities API (DC)
    • In-App Messaging API (IMMN, MIM)
    • Using the App Key and App Secret

      This mechanism is used for an app that makes requests to APIs that do not require user consent.

      This is the default configuration of the API Gateway for the following APIs.

    • Advertising API (ADS)
    • MMS API (MMS)
    • SMS API (SMS)
    • Speech API (SPEECH, STTC, TTS)
    • Using an OAuth Refresh Token

      This mechanism is used to obtain a new OAuth access token using an OAuth refresh token.

      The OAuth refresh token is used whether the original OAuth access token was requested using the OAuth authorization code or the App Key and App Secret.

      This method does not require customer interaction even if the initial OAuth access token is obtained using an OAuth authorization code.

      An OAuth refresh token is valid for 90 days, as indicated in the Considerations section.

      Note: If a new OAuth access token is requested, then the original OAuth refresh token and associated OAuth access token are no longer valid and are no longer able to be used.

  • OAuth Scope

    Scope: Not Applicable

    Model: Not Applicable

    Resource

    POST https://api.att.com/oauth/v4/token

    URL Encoded (authorization_code)

     

    Request

    POST https://api.att.com/oauth/v4/token HTTP/1.1
    Host: api.att.com
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    User-Agent: curl/7.37.0
    Content-Length: 117
    

    client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=authorization_code&code=ABCDEF0123456789

     

    Response

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Date: Wed, 30 Mar 2011 07:18:40 GMT
    {
    "access_token": "xyz123456789",
    "expires_in": 172800,
    "refresh_token": "abc987654321",
    "token_type": "bearer"
    } 

     

    URL Encoded (client_credentials)

     

    Request

    POST https://api.att.com/oauth/v4/token HTTP/1.1
    Host: api.att.com
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    User-Agent: curl/7.37.0
    Content-Length: 118
    

    client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=client_credentials&scope=ADS

     

    Response

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Date: Wed, 30 Mar 2011 07:18:40 GMT
    {
    "access_token": "xyz123456789",
    "expires_in": 172800,
    "refresh_token": "abc987654321",
    "token_type": "bearer"
    } 

     

    URL Encoded (refresh token)

     

    Request

    POST https://api.att.com/oauth/v4/token HTTP/1.1
    Host: api.att.com
    Content-Type: application/x-www-form-urlencoded
    Accept: application/json
    User-Agent: curl/7.37.0
    Content-Length: 162
    

    client_id=ABCDEF0123456789ABCDEF0123456789&client_secret=ABCDEF0123456789&grant_type=refresh_token&refresh_token=ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789

     

    Response

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Date: Wed, 30 Mar 2011 07:18:40 GMT
    {
    "access_token": "xyz123456789",
    "expires_in": 172800,
    "refresh_token": "abc987654321",
    "token_type": "bearer"
    } 

     

    Accept

    String

    Header

    Specifies the format of the body for the response. The acceptable values for this parameter are:

    • application/json

    The default value is application/json.
    Note: For this method, this parameter specifies how the entity should be represented in case of an error.
    This parameter is for setting the format of an error message. If there is no error, then the representation matches the form of the actual content.

    client_id

    String

    Body

    Specifies a key that identifies the user's app.

    Note: This parameter value is the App Key that is assigned to the app account on the AT&T Developer Program website.

    client_secret

    String

    Body

    Specifies a secret key associated with the user's app.

    Note: This parameter value is the App Secret that is assigned to the app account on the AT&T Developer Program website.

    code

    String

    Body

    Specifies the OAuth authorization code that is returned by the API Gateway when a user authorizes the app account to consume APIs on the user's behalf.

    Note: This parameter is required only when the grant_type parameter is set to authorization_code.

    Content-Type

    String

    Header

    Specifies the type of content.

    The only acceptable value for this parameter is:

    • application/x-www-form-urlencoded

    grant_type

    String

    Body

    Specifies the grant type used to obtain the OAuth access token.

    The acceptable values for this parameter are:

    • authorization_code : The code value returned by the Get User Authorization method is used.
    • client_credentials : The App Key and App Secret are used.
    • refresh_token : The refresh_token from a previous response to this method request is used.

    refresh_token

    String

    Body

    Specifies the OAuth refresh token that is returned by the API Gateway during a previous response to this method request.

    This parameter value is stored and used to obtain a new OAuth access token when the initial OAuth access token expires.

    Note: This parameter is required in the request only when the grant_type parameter is set to refresh_token.

    scope

    String

    Header

    Specifies the APIs associated with your app account to which the app is requesting access.

    The format for this parameter value is a comma delimited list.

    The acceptable values for this parameter are:

    • ADS : Advertising API.
    • MMS : MMS API.
    • SMS : SMS API.
    • SPEECH : Speech API - Speech To Text method.
    • STTC : Speech API - Speech To Text Custom method.
    • TTS : Speech API - Text To Speech method.

    Note: This parameter is only required when the grant_type parameter is set to client_credentials.

    Example: scope=ADS

    Example: scope=SPEECH,STTC,TTS

    Example: scope=MMS,SMS,SPEECH,STTC,TTS

    Get User Authorization

    The Get User Authorization method obtains an OAuth authorization code.

    This method triggers the user consent flow, which authenticates the user and captures the user's consent given to the app.

    The user is informed of the one or more API scopes that you specified in your app account.

    The successful response provides an OAuth authorization code that may be exchanged for an OAuth access token with permission to access the specified APIs.

    The request and response flow for this method, including the user content flow, is the following.

    1. The app initiates the flow by directing the user's user-agent to the authorization endpoint.
    2. The authorization server authenticates the user via the user-agent and establishes the user's identity and whether the user grants or denies the your access request.
    3. Assuming the user grants access, the authorization server redirects the user-agent back to the app using the redirection URI provided earlier. The redirection URI includes the OAuth access token in the URI fragment.

    Revoke Token

    The Revoke Token method revokes an OAuth access token or OAuth refresh token.

    Back To Top
    • AT&T Developer Program on Github
    • AT&T Developer Program on Facebook
    • AT&T Developer Program on Twitter
    AT&T Logo

    Terms of Use   Privacy Policy   Your Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon
    ©2025 AT&T Intellectual Property. All rights reserved

    AT&T, the AT&T logo and all other AT&T marks contained herein are trademark of AT&T Intellectual Property and/or AT&T affiliated companies.

    14100000
    Session Expiring

    Your session is about to expire in !

    Stay Signed In
    Session Expired

    Sorry! Your session has expired.

    Skip to content