# Authentication

OAuth2 authentication endpoints for obtaining and refreshing access tokens

## Get access token using client credentials

> Authenticate using your OAuth2 client credentials to obtain an organization-level access token.

```json
{"openapi":"3.0.3","info":{"title":"Blynk Platform API","version":"1.0.0"},"tags":[{"name":"Authentication","description":"OAuth2 authentication endpoints for obtaining and refreshing access tokens"}],"servers":[{"url":"https://{server_address}","description":"Blynk Server","variables":{"server_address":{"default":"blynk.cloud","description":"Your Blynk server domain"}}}],"security":[{"basicAuth":[]}],"components":{"securitySchemes":{"basicAuth":{"type":"http","scheme":"basic","description":"HTTP Basic authentication using OAuth2 client credentials (base64-encoded `client_id:client_secret`)"}},"schemas":{"OAuth2Token":{"type":"object","description":"OAuth2 access token response","properties":{"access_token":{"type":"string","description":"Access token for authenticating API requests. Use as `Bearer` token in the `Authorization` header."},"token_type":{"type":"string","enum":["Bearer"],"description":"Token type"},"expires_in":{"type":"integer","format":"int32","description":"Token expiration time in seconds."},"refresh_token":{"type":"string","nullable":true,"description":"Refresh token for obtaining new access tokens."}},"required":["access_token","token_type","expires_in"]},"OAuth2ErrorResponse":{"type":"object","description":"OAuth2 error response following RFC 6749","properties":{"error":{"type":"string","description":"Error code","enum":["invalid_request","invalid_client","invalid_grant","unauthorized_client","unsupported_grant_type"]},"error_description":{"type":"string","description":"Human-readable error description"}},"required":["error","error_description"]}}},"paths":{"/oauth2/token?grant_type=client_credentials":{"post":{"tags":["Authentication"],"summary":"Get access token using client credentials","description":"Authenticate using your OAuth2 client credentials to obtain an organization-level access token.","operationId":"getAccessTokenByClientCredentials","parameters":[],"responses":{"200":{"description":"Access token issued successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2Token"}}}},"400":{"description":"Authentication failed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}},"500":{"description":"Internal server error"}}}}}}
```

## Get access token using user credentials

> Authenticate using OAuth2 client credentials along with the user's email and password to obtain a user-level access token.\
> The user must belong to the same organization (or its child) as the OAuth2 client.<br>

```json
{"openapi":"3.0.3","info":{"title":"Blynk Platform API","version":"1.0.0"},"tags":[{"name":"Authentication","description":"OAuth2 authentication endpoints for obtaining and refreshing access tokens"}],"servers":[{"url":"https://{server_address}","description":"Blynk Server","variables":{"server_address":{"default":"blynk.cloud","description":"Your Blynk server domain"}}}],"security":[{"basicAuth":[]}],"components":{"securitySchemes":{"basicAuth":{"type":"http","scheme":"basic","description":"HTTP Basic authentication using OAuth2 client credentials (base64-encoded `client_id:client_secret`)"}},"schemas":{"OAuth2Token":{"type":"object","description":"OAuth2 access token response","properties":{"access_token":{"type":"string","description":"Access token for authenticating API requests. Use as `Bearer` token in the `Authorization` header."},"token_type":{"type":"string","enum":["Bearer"],"description":"Token type"},"expires_in":{"type":"integer","format":"int32","description":"Token expiration time in seconds."},"refresh_token":{"type":"string","nullable":true,"description":"Refresh token for obtaining new access tokens."}},"required":["access_token","token_type","expires_in"]},"OAuth2ErrorResponse":{"type":"object","description":"OAuth2 error response following RFC 6749","properties":{"error":{"type":"string","description":"Error code","enum":["invalid_request","invalid_client","invalid_grant","unauthorized_client","unsupported_grant_type"]},"error_description":{"type":"string","description":"Human-readable error description"}},"required":["error","error_description"]}}},"paths":{"/oauth2/token?grant_type=user_credentials":{"post":{"tags":["Authentication"],"summary":"Get access token using user credentials","description":"Authenticate using OAuth2 client credentials along with the user's email and password to obtain a user-level access token.\nThe user must belong to the same organization (or its child) as the OAuth2 client.\n","operationId":"getAccessTokenByUserCredentials","parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","properties":{"userEmail":{"type":"string","format":"email","description":"User email address"},"password":{"type":"string","format":"password","description":"User password"}},"required":["userEmail","password"]}}}},"responses":{"200":{"description":"Access token issued successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2Token"}}}},"400":{"description":"Authentication failed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}},"500":{"description":"Internal server error"}}}}}}
```

## Refresh an access token

> Exchange a refresh token for a new access token.\
> Each refresh token can only be used \*\*once\*\* — after use, the previous refresh token is invalidated and a new one is returned.<br>

```json
{"openapi":"3.0.3","info":{"title":"Blynk Platform API","version":"1.0.0"},"tags":[{"name":"Authentication","description":"OAuth2 authentication endpoints for obtaining and refreshing access tokens"}],"servers":[{"url":"https://{server_address}","description":"Blynk Server","variables":{"server_address":{"default":"blynk.cloud","description":"Your Blynk server domain"}}}],"security":[{"basicAuth":[]}],"components":{"securitySchemes":{"basicAuth":{"type":"http","scheme":"basic","description":"HTTP Basic authentication using OAuth2 client credentials (base64-encoded `client_id:client_secret`)"}},"schemas":{"OAuth2Token":{"type":"object","description":"OAuth2 access token response","properties":{"access_token":{"type":"string","description":"Access token for authenticating API requests. Use as `Bearer` token in the `Authorization` header."},"token_type":{"type":"string","enum":["Bearer"],"description":"Token type"},"expires_in":{"type":"integer","format":"int32","description":"Token expiration time in seconds."},"refresh_token":{"type":"string","nullable":true,"description":"Refresh token for obtaining new access tokens."}},"required":["access_token","token_type","expires_in"]},"OAuth2ErrorResponse":{"type":"object","description":"OAuth2 error response following RFC 6749","properties":{"error":{"type":"string","description":"Error code","enum":["invalid_request","invalid_client","invalid_grant","unauthorized_client","unsupported_grant_type"]},"error_description":{"type":"string","description":"Human-readable error description"}},"required":["error","error_description"]}}},"paths":{"/oauth2/token?grant_type=refresh_token":{"post":{"tags":["Authentication"],"summary":"Refresh an access token","description":"Exchange a refresh token for a new access token.\nEach refresh token can only be used **once** — after use, the previous refresh token is invalidated and a new one is returned.\n","operationId":"refreshAccessToken","parameters":[{"name":"refresh_token","in":"query","required":true,"schema":{"type":"string"},"description":"The refresh token obtained from a previous token response"}],"responses":{"200":{"description":"Access token refreshed successfully","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2Token"}}}},"400":{"description":"Authentication failed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}},"500":{"description":"Internal server error"}}}}}}
```