Web USers - OAuth Authentication

The Web API supports authentication using the OAuth client credentials flow.

• User Setup
• Requirements
• Obtaining and Using an OAuth Token

User Setup

The user setup is largely the same as user other authentication types, with the following differences:

Display Name

Used purely for display and identification purposes.

Client Id

The value used in the token request.

Client Secret

When a new user is created the Client Secret will be displayed.

Client Secret Rotation

Existing users can rotate their client_secret.

Press rotate button, then confirm by pressing Regenerate again.

Requirements

To authenticate using OAuth it is necessary to configure the IIS Website (specifically the port - typically 443) bound to a valid SSL certificate.

Please note this must be done manually and is not performed by the setup.

A full discussion of SSL certificates is done here.

• Add the SSL certificate to the server via Manage Computer Certificates (not described here).
• Open IIS Manager
  • (Purple) Identify and select the Site the IManWebAPI is found - typically this is the 'Default Web Site'.
  • (Blue) Click Bindings on the right hand side.
  • (Orange) To run the WebAPI on the standard SSL port (443) select https for port 443, otherwise Add.
  • (Green) Select from the SSL Certificate drop down the SSL Certificate added through the Computer Certificates.
    

Obtaining and Using an OAuth Token

This section describes the client_credentials flow permitted for WebAPI OAuth authentication.

1. Make the following request

POST https://<imanserver>:44390/connect/token

Content-Type: application/x-www-form-urlencoded

Body

client_id:<the client id from the web user>

&client_secret:<the client secret from the web user>

&grant_type:client_credentials

&scope:httpListener_scope

2. If successful a JSON body with an access_token and expires_in will be returned.

   {
     "access_token": "eyJhbGciOiJSU...",
     token_type": "Bearer",
     "expires_in": 899
   }

3. Make the request to the WebAPI passing the access_token from step 2 on the Authorization header as an Bearer token. For example:

   GET https://<imanserver>:443/IManWebAPI/orders?from=2026-04-01

   Authorization: Bearer "eyJhbGciOiJSU...

   Accept: application/x-www-form-urlencoded