Get Access Tokens

You will need to request an access token to be able to use Harbor API’s.


Different scopes are required to communicate with the different API’s:
- The scope service_provider is required to communicate with the service provider API:,
The resulting token is for your backend only.
- The scope tower_access is for the SDK to be able to communicate with the SDK API .
This token is for your mobile application.

What environment should I use?

In order to find out which environment your tower should be using, check your tower ID.
The first 2 numbers will tell you which environment your tower is configured to.
10 - production
01 - sandbox

For this we’ll select the client_credentials grant type. Let’s get an access token for our backend application, with scope service_provider

For production the URL to request our access tokens it is

For sandbox



This Url will be referred to as {accounts_url} on the rest of this page. Don’t send any requests without replacing any variables in curly brackets {} with actual data

Example requests

Using the proper url, you can make your request for client credentials like this.
$ curl -X 'POST' \
    '{accounts_url}/realms/harbor/protocol/openid-connect/token' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'grant_type=client_credentials&scope=service_provider&client_id={your client id}&client_secret={your client secret}'

the response will look like this:

    "access_token": "Your access token will be a very long string",
    "refresh_token": null,
    "refresh_expires_in": 0,
    "expires_in": 300,
    "token_type": "Bearer"

Now to get a mobile SDK token the flow is the same but request scope tower_access instead of service_provider.

 $ curl -X 'POST' \
'{accounts_url}/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=tower_access&client_id={your_client_id}&client_secret={your_client_secret}'

Refreshing the token

If at any point your token has expired you can use the following code to refresh it.

 curl -X 'POST' \
'{accounts_url}/realms/harbor/protocol/openid-connect/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&client_id=your client id&client_secret={your client secret}&refresh_token={your very long token here}'

Testing your SDK token

If you need to test your token you can use the api url.

Remember to change the url if you are using the test environment:

$ curl -X 'POST' \
'' \
-H 'accept: application/json' \
-H 'Authorization: Bearer your very long access token...' \
-d ''

Your response will look something like:


If instead your response is an error:

A 401 error means you should check your credentials and environment.
A 404 error means you should check your url.
For our typical app flow, go to Discover Towers
For advanced users and special circumstances, try SDK tools