2-Legged Authentication Using Postman

I mentioned about Postman being a useful tool for learning and troubleshooting a few times in the past. As multiple language choices exist to make REST API calls (i.e., NodeJS, php, Ruby, ASP.NET, etc.), let’s start with Postman to get a feel of the workflow to make calls with Forge API.

As I mentioned in my earlier post, there are two types of authentication methods for Forge: 2-legged and 3-legged. Let’s start with 2-legged as it is less complex in terms of make a REST call.



2-legged authentication is used to access data in BIM 360 HQ and Docs for business-to-business integration or application-to-application context. You use your app’s client ID and secret to obtain a token to access data in subsequent calls.

URL: https://developer.api.autodesk.com/authentication/v1/authenticate

Method: POST


  • Content-Type


  • client_id
  • client_secret
  • grant_type
  • scope (optional)

Reference: https://developer.autodesk.com/en/docs/oauth/v2/reference/http/authenticate-POST/

Getting Started: https://developer.autodesk.com/en/docs/oauth/v2/tutorials/get-2-legged-token/

Steps below shows a sample usage of Postman calling 2-legged authentication to get a token.

(1) Set URL. Choose POST as a method. In the Headers tab, set Content-Type as “application/x-www-form-urlencoded” (image below).  


(2) In Body tab (image below), select “x-www-form-urlencoded” radio button. Enter four parameters. client_id and client_secret are from your app. grant_type is always “client_credentials”. scope can be “data:read”, “data:write”, “bucket:create”, etc. or their combination. You can find a full list of scope here.


(3) That’s it to make a request. Press “Send” to make a call. A response will be in JSON format. When successful, you will see “access_token” (image below). You will use this value for subsequent calls.


Tip #1: Use of Environment/Global Variables

Being able to make a REST call without any coding is wonderful. But soon or later, you will most likely find it tedious to copy and paste an access token manually. Luckily Postman provides a  simple scripting functionality to make it easier. You can define a global variable and set/get a value to pass it among different REST calls.

(1) To define a global variable, go to “gear” icon >> Manage Environments (image below).


(2) In the “Manage Environments” dialog, choose “Globals” (button is at the bottom of the dialog. Define variables there. In the image below, for example, I’m defining three variables: myToken, myClientID and myClientSecrect.  myToken is where I want to keep an access token. the latter two keep the values from my App.  In the URL and parameter definitions, you can access variables using double curly brackets, e.g., {{myToken}}.


(3) Once you have a global variable defined,  you can add a small script. Below is an example of post call action in the Tests tab, where you take a response  body, extract a value of access_token, and set it to a global variable called “myToken”. (A list of text in orange color on the right pane is actually a collection of small templates with scripts. Try them out for more scripting options.)


When a call is successfully made, you can access the value of access token by {{myToken}}.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s