CompanyCam uses the OAuth 2.0 flow to authenticate users and generate access tokens for applications.

The authorization code grant type is used to obtain both an access token and refresh token and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.

This request requires a client id and secret, which you can get by filling out this form.

Authorization Grant

The first stage of generating an access token is to redirect the user to the CompanyCam authorization URI.

curl "https://app.companycam.com/oauth/authorize?client_id={client_id}&redirect_uri={authorized_redirect_uri}&response_type=code&scope=read+write+destroy"

The request URI can be generated using the template above. The following are the definitions of the request parameters

ParameterTypeDescription
client_idstringYour unique client id provided to you by CompanyCam
redirect_uristringThe URI to redirect the user to after they authorize your application
response_typestringThis must be set to code. The redirect_uri provided above will include a code query parameter used to obtain an access token in the next step.
scopestringThe scope of the access request. The possible values are: read, write, and destroy. It may have multiple space-delimited values.

Obtain an Access Token

After the user has authorized your application they will be redirected to the redirect_uri provided in Authorization Grant. The URI will contain a code query parameter that will be exchanged for an access_token and refresh_token.

curl -X POST --data "client_id={client_id}&client_secret={client_secret}&code={code_from_uri}&grant_type=authorization_code&redirect_uri={authorized_redirect_uri}" "https://app.companycam.com/oauth/token"

The request URI can be generated using the template above. The following are the definitions of the request parameters

ParametersTypeDescription
client_idstringYour unique client id provided to you by CompanyCam.
client_secretstringThe secret key provided to you by CompanyCam. This should be treated like a password.
codestringThe value from the code query parameter that was included when the user was redirected to your application.
redirect_uristringThe URI used above when you initially redirected the user to CompanyCam.

Example Response

{
 "access_token": "de6780bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350e54",
 "token_type": "bearer",
 "expires_in": 7200,
 "refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668c33a1"
}

Refreshing a Token

When you obtain an access token for a user you will also receive a refresh_token as part of the same payload. This token is important and should be stored along with the access_token. Once the access token expires you can refresh the access token using the refresh token.

Each time you request a new access_token, you will receive a new refresh_token as well. Please make sure to update both in your database.

curl -X POST --data "client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}&grant_type=refresh_token" "https://app.companycam.com/oauth/token"

The things to note in the request is that you pass refresh_token instead of code and set the grant_type to 'refresh_token'.

Example Response

{
 "access_token": "9823m0bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350k82",
 "token_type": "bearer",
 "expires_in": 7200,
 "refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668dl281"
}