Generate Service Account Token

On this page

Resource

Request Path Parameters
Request Query Parameters
Request Body Parameters
Response
Example Request
Example Response
Response Header
Response Body

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Resource

POST https://cloud.mongodb.com/api/oauth/token

Request Path Parameters

This endpoint doesn't use HTTP request path parameters.

Request Query Parameters

The following query parameters are optional:

Name	Type	Necessity	Description	Default
pretty	boolean	Optional	Flag that indicates whether the response body should be in a prettyprint format.	`false`
envelope	boolean	Optional	Flag that indicates whether or not to wrap the response in an envelope. Some API clients cannot access the HTTP response headers or status code. To remediate this, set `envelope : true` in the query. For endpoints that return a list of results, the `content` object is an envelope. Cloud Manager adds the `status` field to the response body.	`false`
backupJobsEnabledOnly	boolean	Optional	Flag indicating whether to exclude daemons not enabled for backing up databases from the response. Set this to `false` to include daemon configurations with the `backupJobsEnabled` flag set to `false`.	`true`

Request Body Parameters

This endpoint doesn't use HTTP request body parameters.

Response

The response includes:

Name	Type	Description
access_token	string	The service account access token for authenticating API requests.
token_type	string	The mechanism for token authorization, here represented as `Bearer`.
expires_in	integer	The duration the access token is valid, in seconds.

Example Request

Replace {BASE64-AUTH} in the following example with your base64-encoded service account client ID and secret. To learn more, see Make an API Request.

curl --request POST \
  --url https://cloud.mongodb.com/api/oauth/token \
  --header 'accept: application/json' \
  --header 'cache-control: no-cache' \
  --header 'authorization: Basic {BASE64-AUTH}' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials'

Example Response

Response Header

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}

HTTP/1.1 400 Bad Request
Date: {dateInUnixFormat}
Content-Type: application/json
Content-Length: {requestLengthInBytes}
Server: mdbws
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
...

HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: {dateInUnixFormat}
WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false
Content-Length: {requestLengthInBytes}
Connection: keep-alive

HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
...

HTTP/1.1 429 Too Many Requests
Retry-After: {retryAfterValue}
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
...

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
...

HTTP/1.1 503 Service Unavailable
Retry-After: {retryAfterValue}
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Content-Length: {requestLengthInBytes}
X-MongoDB-Service-Version: gitHash={gitHash}; versionString={ApplicationVersion}
...

Response Body

{
  "access_token":"eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjAwMDAwMDAwLTQwMDBtLTQ0MGEIXkY0IH4IMF84MGYMX2FtperB2miniFzHCJ9.eyJpc3MiOiJodHRwczUvYWxkZXYubW9uZ29kYi5jb20iLCJhdWQiOiJhcGk6Ly9hZG1pbiIsInN1YiI6ImZha2Vfc3ViX2lkXzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwic2lkIjoiZmFrZTNfaWRfMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwic2Vzc2lvblN1YiI6ImZha2Vfc2lkXzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIIDmVlc1NX4adGVyaCBJRCJvbmcxISS8zdeD0pyQwMjNlIiwiYWN0b3JJZCI6ImZha2Vfc2lkXzAwMDAwMDAwMDAwMDOIi8wMDAwMDAwMCIsImlhdCI6MTIzNDU2Nzg5MCwiZXhwIjoxMjM0NTc0OTgwLCJqdGkiOiJmYWtlLWp0aS02MOwNDBQNDBdDOGhyES8xOTY1OGEtMDAwMDAwMDAwMDAwMDAwMDAwMGIwNjRGM3NifQ==.jmbo9d_fgfk32FGB423f09SF0kFSDFoQxh3j9FZ2",
  "expires_in":3600,
  "token_type":"Bearer"
}

{
  "error_description": "The provided credentials are not valid.",
  "error": "invalid_request"
}

{
  "error_description": "Invalid grant type.",
  "error": "unsupported_grant_type"
}

{
  "error_description": "Invalid grant.",
  "error": "invalid_grant"
}

{
  "error_description": "Invalid credentials provided.",
  "error": "invalid_client"
}

{
  "error_description": "IP access list validation failed for the service account.",
  "error": "access_denied"
}

{
  "error_description": "Resource {URL} is limited to 10 requests every 1 minutes.",
  "error": "rate_limited"
}

{
  "error_description": "Unexpected error.",
  "error": "server_error"
}

Back

Service Accounts

Revoke Service Account Token