In order to perform any requests against the Webgate API you first need to authenticate using the Authorize Code Flow of the OAuth2 standard.

See for the specification of the protocol.

All subsequent requests can be authorized using the access token which will be received via this protocol.

Registering a client

First, your client needs to be registered. For this, please send us your Redirection URI(s), and the name of your client. It is supposed to be easily recognized by webgate-users who are going to authorize your client. You will also need a webgate user to which the client will be bound to.
All the necessary data, like the client_id and secret_id, can be found within the menu "MyProfile", once your client has been registered to your user.
Also there, users can see all their authorized clients and revoke access grants at any time. In this case, the flow would have to be repeated.


A token expires after 24 hours. If the user hasn't revoked the authorization, a new token can be generated at any time. Your application should do this automatically.

Invalidating an access token

Tokens can be invalidated.
To do this, send a POST request to /oauth/revoke. The request needs to carry the access token, of course.


POST /oauth/revoke HTTP/1.1
Authorization: Bearer example-token

Successful Response:

HTTP/1.1 200 OK
Content-Type: application/json



Once an access token has been obtained by the client, it can be used to request resources that the authenticated user is allowed to access.

NOTE: client applications MUST expect a request to fail due to insufficient authorization at any point. The fact that a resource can be seen in a listing doesn't always indicate that it can be accessed, as it may have been deleted in the meantime.

Passing the access token via an HTTP header

The preferred way of passing the token is by setting the Authorization header, using the Bearer authorization scheme and the access token.

NOTE: Client application developers should take special care using this method, so the access token will NOT show up in logfiles and won't be exposed in any other way. Since the URI is not encrypted, every attempt to send the token over the URI will fail, and the token will be invalidated. Please always sent the token with the encrypted headers.


GET /api/projects HTTP/1.1
Authorization: Bearer example-token


GET /api/projects

Handling authorization failures

Whenever a protected resource is requested, the authorization may fail.
In general there are three distinct cases that cause this to happen:

  1. No access token was provided
  2. The provided access token is invalid
  3. The accessed resource may not be accessed by the user associated with the access token

The former two cases cause an equivalent 401 (Unauthorized) response, while the latter causes a 403 (Forbidden) response.

401 example response:

HTTP/1.1 401 Unauthorized
Content-Type: application/json

  "status": 401,
  "status_message": "Unauthorized",
  "error": "Token missing, invalid, or expired. Token expires after 24 hours of idle time."
NOTE: If a client application receives this response even though it passed a (thought to be) valid access token, it SHOULD take steps to acquire a new access token.

403 example response:

HTTP/1.1 403 Forbidden
Content-Type: application/json

  "status": 403,
  "status_message": "Forbidden",
  "error": "Forbidden"