API Authentication

  • Last update on May 21st, 2026

Table of Contents

CoreView Public APIs are secured through OAuth 2.0 / OpenID Connect. Authentication uses the Client Credentials flow, which enables server-to-server communication by requesting an access token with a client ID and client secret.

Identity provider

Use the identity provider that matches the target environment:

  • Standard environments: https://identity.coreview.com
  • GOV environments: https://usidentity.coreview.com

OpenID configuration

The OpenID Connect metadata documents are available at the following URLs:

  • Standard: https://identity.coreview.com/.well-known/openid-configuration
  • GOV: https://usidentity.coreview.com/.well-known/openid-configuration

These documents provide the standard OAuth 2.0 / OpenID Connect discovery details, including the token endpoint.

Authentication flow

CoreView Public APIs use a standard Client Credentials flow:

  1. Obtain a valid Client ID and Client Secret from CoreView Support.
  2. Request a JWT access token from the CoreView Identity Provider.
  3. Use the token to call the CoreView Public API host associated with the correct datacenter.

Token endpoint

To obtain an access token, send a POST request to the token endpoint exposed by the identity provider. The token endpoint can be read from the OpenID configuration document.

Example for standard environments:

POST /connect/token HTTP/1.1
Host: identity.coreview.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(CLIENT_ID + ":" + CLIENT_SECRET)

grant_type=client_credentials&scope=SPACE_SEPARATED_SCOPES

Sample request

POST /connect/token HTTP/1.1
Host: identity.coreview.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic c2FtcGxlY2xpZW50aWQ6c2FtcGxlY2xpZW50c2VjcmV0Cg==
Content-Length: 173

grant_type=client_credentials&scope=delegation.read%20delegation.write%20operator.read%20operator.write%20platform.read%20licensepool.write%20licensepool.read%20license.read

Sample response

{
    "access_token": "eyJhbGciOiJ...",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "delegation.read delegation.write license.read licensepool.read licensepool.write operator.read operator.write platform.read"
}

API hosts by datacenter

API requests must be sent to the host that matches the customer datacenter.

Datacenter API host
EU apiproxy.coreview.com
EUS usapiproxy.coreview.com
CAE caeapiproxy.coreview.com
AUS ausapiproxy.coreview.com
UKN uknapiproxy.coreview.com
GOV usgovapiproxy.coreview.com

Notes

  • The access_token is a JSON Web Token (JWT) used to authorize API requests.
  • The token expires after 3600 seconds (1 hour). After expiration, a new token must be requested.
  • Client credentials must be stored securely and kept confidential.
  • The token endpoint should be taken from the OpenID configuration document for the relevant environment.
  • API requests must be sent to the API host associated with the customer datacenter.

 

 

Related Articles

DID THIS PAGE HELP YOU?