Creating your first OAuth Token

In this section we are going to show you how to get secure access to Fides' API. Fides' API supports the OAuth2 Client Credentials Grant which requires to you create a Client ID and Secret with a specified set of scopes.

If you are self-deploying and not using Fides Cloud (opens in a new tab), you might recall that you created a Root OAuth Client ID and Client Secret, however, like any good security oriented company, we strongly recommend you do not use Root credentials for day-to-day tasks. Use the Root Credentials to create a new Client ID/Secret pair with limited scopes using the endpoint below.

If you are using Fides Cloud, reach out to your Customer Success Manager and they will provide the initial OAuth token to create additional tokens.

Loading latest documentation...

Steps

1. Using POST - /api/v1/oauth/token, pass in the Root Client ID and Secret with the appropriate scopes requested to get your intial Access Token.
   • Note - if using /docs you can input this into (Swagger's)[https://github.com/swagger-api/swagger-ui (opens in a new tab)] Authorize button in the top right corner of the API Docs
   
   
2. Using this Access Token as the Bearer Token (if you are not using Swagger), make a request to POST - /api/v1/client to create your new Client that will be used to access the APIs on a day-to-day basis.
   
   
3. We now need to assign scopes to this new Client. Using the Scopes found in the Fides Scope Registry (opens in a new tab), we make a request to PUT - /api/v1/oauth/client/{client_id}/scope below is a sample payload. For Production purposes, we recommend downscoping the permissions found in this payload.

   [
   “allow_list:create”,
   “allow_list:delete”,
   “allow_list:read”,
   “allow_list:update”,
   “classify_instance:create”,
   “classify_instance:read”,
   “classify_instance:update”,
   “cli-objects:create”,
   “cli-objects:delete”,
   “cli-objects:read”,
   “cli-objects:update”,
   “client:create”,
   “client:delete”,
   “client:read”,
   “client:update”,
   “config:read”,
   “config:update”,
   “connection:authorize”,
   “connection:create_or_update”,
   “connection:delete”,
   “connection:instantiate”,
   “connection:read”,
   “connection_type:read”,
   “connector_template:register”,
   “consent:read”,
   “ctl_dataset:create”,
   “ctl_dataset:delete”,
   “ctl_dataset:read”,
   “ctl_dataset:update”,
   “ctl_policy:create”,
   “ctl_policy:delete”,
   “ctl_policy:read”,
   “ctl_policy:update”,
   “current-privacy-preference:read”,
   “custom_field:create”,
   “custom_field:delete”,
   “custom_field:read”,
   “custom_field:update”,
   “custom_field_definition:create”,
   “custom_field_definition:delete”,
   “custom_field_definition:read”,
   “custom_field_definition:update”,
   “data_category:create”,
   “data_category:delete”,
   “data_category:read”,
   “data_category:update”,
   “data_qualifier:create”,
   “data_qualifier:delete”,
   “data_qualifier:read”,
   “data_qualifier:update”,
   “data_subject:create”,
   “data_subject:delete”,
   “data_subject:read”,
   “data_subject:update”,
   “data_use:create”,
   “data_use:delete”,
   “data_use:read”,
   “data_use:update”,
   “database:reset”,
   “datamap:read”,
   “dataset:create_or_update”,
   “dataset:delete”,
   “dataset:read”,
   “encryption:exec”,
   “evaluation:create”,
   “evaluation:delete”,
   “evaluation:read”,
   “evaluation:update”,
   “fides_taxonomy:update”,
   “generate:exec”,
   “masking:exec”,
   “masking:read”,
   “messaging:create_or_update”,
   “messaging:delete”,
   “messaging:read”,
   “organization:create”,
   “organization:delete”,
   “organization:read”,
   “organization:update”,
   “policy:create_or_update”,
   “policy:delete”,
   “policy:read”,
   “privacy-experience:create”,
   “privacy-experience:read”,
   “privacy-experience:update”,
   “privacy-notice:create”,
   “privacy-notice:read”,
   “privacy-notice:update”,
   “privacy-preference-history:read”,
   “privacy-request-notifications:create_or_update”,
   “privacy-request-notifications:read”,
   “privacy-request:create”,
   “privacy-request:delete”,
   “privacy-request:read”,
   “privacy-request:resume”,
   “privacy-request:review”,
   “privacy-request:transfer”,
   “privacy-request:upload_data”,
   “privacy-request:view_data”,
   “registry:create”,
   “registry:delete”,
   “registry:read”,
   “registry:update”,
   “rule:create_or_update”,
   “rule:delete”,
   “rule:read”,
   “saas_config:create_or_update”,
   “saas_config:delete”,
   “saas_config:read”,
   “scope:read”,
   “storage:create_or_update”,
   “storage:delete”,
   “storage:read”,
   “system:create”,
   “system:delete”,
   “system:read”,
   “system:update”,
   “system_manager:delete”,
   “system_manager:read”,
   “system_manager:update”,
   “system_scan:create”,
   “system_scan:read”,
   “taxonomy:create”,
   “taxonomy:delete”,
   “taxonomy:update”,
   “user-permission:assign_owners”,
   “user-permission:create”,
   “user-permission:read”,
   “user-permission:update”,
   “user:create”,
   “user:delete”,
   “user:password-reset”,
   “user:read”,
   “user:update”,
   “validate:exec”,
   “webhook:create_or_update”,
   “webhook:delete”,
   “webhook:read”
   ]

4. We are now ready to use this new Client ID and Secret pair to execute requests against the Fides API.