32.1 Authentication

REST clients must authenticate before accessing the administrative REST services. First, an Oracle Application Express instance administrator must log into the Oracle Application Express application and register a REST client.

When a client has been registered in Instance Administration, the dialog shows Client ID and Client Secret, with which the client can then perform authentication following the OAuth2 Client Credentials flow. A client first connects with a Client ID and a Client Secret as the credentials. Upon successful authentication, the server sends back the OAuth Access Token. Using this access token, the client can then access the administrative REST services.

HTTP Request Syntax Parameter

Table 32-1 HTTP Request Syntax

Parameter Description

HTTP Method




Request Body


HTTP Request Headers

"Content-Type": "application/x-www-form-urlencoded" "Authorization": Client-ID:Client Secret in Base64-encoded form


Returns a JSON object with the following structure upon successful authentication:

  "access_token": OAuth access token fot subsequent requests,
  "token_type":   "bearer",
  "expires_in":   lifetime of the OAuth token, in seconds; typically "3600"

If authentication is unsuccessful, the server responds with HTTP-401:Unauthorized.


In the following exampleClientID stands for the Client ID and ClientSecret for the Client Secret.

Example 1

The example displays the following output when you execute command line utility curl:

   $ curl -i 
          --user ClientId:ClientSecret 
          --data "grant_type=client_credentials" 

   HTTP/1.1 200 OK
   Content-Type: application/json
   Transfer-Encoding: chunked


Use a JSON parser to extract the value of the access_token attribute and use it in subsequent requests.

Example 2

The example displays the following output when you use the APEX_WEB_SERVICE package in another Application Express instance:

           p_token_url =>     'http://application-express-host:port/ords/apex_instance_admin_user/oauth/token',
           p_client_id =>     'ClientId',
           p_client_secret => 'ClientSecret'
       dbms_output.put_line( 'The token is: ' || apex_web_service.oauth_get_last_token );

   The token is: LfXJilIBdzj5JPRn4xb5QQ..

With the acquired OAuth Access Token, the administrative REST Services can be called.