3-Legged Authentication Using Postman

Continuing from the previous post about 2-legged authentication, let’s take a look at 3-legged authentication or more precisely OAuth 2.0 3-legged authentication with Forge next. My colleague, Adam Nagy, has already written a blog post about calling 3-legged using Postman. My rewrite will be with additional comments with BIM 360 in mind.

BIM 360 Team and Docs support 3-legged. Account Admin does not. Account Admin supports 2-legged only.



3-legged authentication is used to access data in BIM 360 Team and Docs in user context. The during the authentication process, you will be prompted to login using the Autodesk account. You can use access token to access only the data that the given user is permitted.

3-legged requires two calls. Postman provides a nice utility to make this process simple.

Method and URL:

The first one is to redirect the user to obtain the user consent to authorize the app to access your data on your behalf. The second is to get an access token.


Get Started: https://developer.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/

Steps below shows a sample usage of Postman calling 3-legged authentication to get a token.

(1) Go to Authorization tab. Choose “OAuth 2.0” as the type. Press “Get New Access Token” button (image below).


(2) In the “Get New Access Token” dialog (image below), fill in the information as follows:

  • Token Name = <this can be any name. You can use it to access the token generated later using this name>
  • Auth URL =  https://developer.api.autodesk.com/authentication/v1/authorize
  • Access Token URL = https://developer.api.autodesk.com/authentication/v1/gettoken
  • Client ID = <copy your client ID here>
  • Client Secret = <copy your client secret here>
  • Scope = data:read <or other scope as needed>
  • Grant Type = Authorization Code

But don’t press “Request Token”, yet.

Notice the Callback URL: https://www.getpostman.com/oauth2/callback, and below, it says “Set this as the callback URL in your app settings page.”


(3) Before we press “Request Token”, you need to set callback URL in the app you created in the Autodesk developer portal.

Go to the developer portal >> My Apps:


Edit your app and set callback URL as https://www.getpostman.com/oauth2/callback.  Save your edit.


(4) Finally in Postman “Get New Access Token” dialog, press “Request Token”. If everything goes well, you will be prompted to login using Autodesk account login page (image below) followed by a consent page.


(5) When everything goes as expected, you will see an access token along with refresh token, token_type and expiration time length (see the image below).

You can copy and paste the access token from here. The “Use Token” button will copy the token in the Header.


The image below show how the header tab looks like after the token is added to the header. Notice that “Bearer” is prefixed to the token.


You are ready to use the token to access data.

Note: You may wonder if there is a way to add the token to subsequent calls automatically, just like we did with 2-legged. The answer seems to be “no” at a moment. See this post for discussion.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s