Which OAuth Method to use?

Using API Connector, I need to generate a OAuth 2.0 token, but the method seems to requires more than the OAuth Password Flow authentication option and requires less than the OAuth User Agent Flow option. Any ideas on what to do? Notes from the documentation below.

Step 1: Generating OAuth Access Tokens
Experian APIs implements the OAuth v2.0 password grant-type to obtain the access token. The access token can be obtained at


curl -X POST
-H “Client_id: 3QC11Sm45ti8wEG0d9A5hma5XIlGG7U9”
-H “Client_secret: ipu3WQDqTEjqZDXW”
-H “Content-Type: application/json”
-d ‘{ “username”:"youremail@email.com",
On successful validation of credentials, an JWT token will be generated.

“issued_at”: “1478105120762”,
“expires_in”: “10799”,
“token_type”: “BearerToken”,
“access_token”: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJva3RhLXVzZXItbGFzdE5hbWUiOiJyYXRoaSIsInN1YiI6Im9hdXRoL

Step 2: Using Access Tokens
After an application obtains the access token, it sends it to an Experian API in an HTTPS authorization header. It is a good REST practice to not send your query-string parameters as a URI parameter as this is not secure. Access tokens are valid only for the lifetime for which they are issued, and only for the scope specified when making the token request.

Following is a sample HTTP request using access token:

POST /applicationprocessing/businessinformation/v1/businesscredits HTTP/1.1
Host: sandbox-us-api.experian.com
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJva3RhLXVzZXItbGFzdE5hbWUiOiJyYXRoaSIsInN1YiI6Im9hdXRoLWV4dC1va3Rh

Step 3: Token Expiry
If you get a 401 error on sending the bearer token in your request, then the access token has expired and a new one should be requested. OAuth JWT token expires every 8 hours.

If you get a 400 error, which you might get only on IE browser due to compatibility issues. You can use IE but keep the compatibility mode off as enabling compatibility mode adds unnecessary characters in the request paylod hence we get 400 bad request error.

Please note that username and passwords are case sensitive and this could be another reason to get 401 unauthorized error.

Why can’t you use ‘OAuth2 Password Flow’ and set the client ID and the Client secret as shared headers? That should do it.