Ironclad

Ironclad OAuth 2.0 API

OAuth 2.0 endpoints for delegated and machine-to-machine access to the Ironclad Public API. Supports the Authorization Code grant (with PKCE for public clients) and the Client Credentials grant for server-to-server integrations. Exposes /authorize, /token, /userinfo, and /company-info; scopes follow the `public.{resource}.{action}` convention (e.g., `public.workflows.readWorkflows`, `public.records.createRecords`).

GitHub OpenAPI

Documentation

📖
Documentation
https://developer.ironcladapp.com/reference/authentication-api
📖
Documentation
https://developer.ironcladapp.com/reference/authorization-code-grant
📖
Documentation
https://developer.ironcladapp.com/reference/client-credentials-grant
📖
Documentation
https://developer.ironcladapp.com/reference/register-oauth-client
📖
Documentation
https://developer.ironcladapp.com/reference/guidance-for-oauth-migration

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/ironclad/refs/heads/main/openapi/ironclad-oauth-20-api-openapi.yml

OpenAPI Specification

ironclad-oauth-20-api-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Ironclad OAuth 2.0 API
  description: Documentation for Ironclad's OAuth 2.0 Implementation. More details on the [OAuth 2.0 specification](https://datatracker.ietf.org/doc/html/rfc6749).
  version: '1'
  contact:
    name: Ironclad Support
    email: support@ironcladapp.com
servers:
- url: https://na1.ironcladapp.com/oauth
  description: Production server
- url: https://eu1.ironcladapp.com/oauth
  description: EU Production server
- url: https://demo.ironcladapp.com/oauth
  description: Demo server
paths:
  /authorize:
    get:
      summary: Initiate an Authorization Transaction
      description: This endpoint is used to request authorization from a user to access their Ironclad data on their behalf.
        This is the initial request of an Authorization Code grant flow. The client application generally initiates the authorization
        flow, where a user will be redirected to Ironclad to log in and grant the requested permissions. The user is then
        redirected back to the client application redirect URI with an authorization code. See endpoint [specification](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1).
      operationId: oauth-authorize
      tags:
      - Authorization
      parameters:
      - $ref: '#/components/parameters/AuthCodeResponseType'
      - $ref: '#/components/parameters/ClientId'
      - $ref: '#/components/parameters/RedirectUri'
      - $ref: '#/components/parameters/ResourceScope'
      - $ref: '#/components/parameters/State'
      responses:
        '302':
          description: If the request is successful, the user will be directed to Ironclad to log in and grant permissions.
            Then the user will be redirected back to the client application redirect URI with an authorization code. If the
            user denies the request, they will be redirected back to the client application redirect URI with an error of
            'access_denied'. If the request includes an invalid scope, the user will be redirected back to the client application
            redirect URI with an error of 'invalid_scope'.
          headers:
            Location:
              schema:
                type: string
                example: https://myapp.com/oauth/callback?code=63d415e0dd0d828c3a878548&state=1234567890
        '400':
          description: If the request is missing required parameters or has invalid parameters, the client will receive an
            'invalid_request' response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: invalid_request
                  error_description:
                    type: string
                    example: 'Invalid or missing parameters: Invalid value for client_id, expected type UUID'
        '403':
          description: If the client application is not authorized to use a specific grant type, the client will receive an
            'unauthorized_client' response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: unauthorized_client
                  error_description:
                    type: string
                    example: client not authorized to use this oauth grant type
  /token:
    post:
      summary: Request a Token
      description: This endpoint is used to request a token from the authorization server. If requesting an initial token
        in the Authorization Code grant, an authorization code, client ID, and client secret must be provided. If requesting
        to refresh an existing token in the Authorization Code grant, a refresh token, client ID, and client secret must be
        provided. If requesting a token via the Client Credentials grant, a client ID and secret must be provided. See endpoint
        [specification](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2).
      operationId: oauth-token
      tags:
      - Authorization
      parameters:
      - $ref: '#/components/parameters/ClientAuthorization'
      requestBody:
        $ref: '#/components/requestBodies/TokenRequestBody'
      responses:
        '200':
          description: A successful response will return the relevant token details.
          content:
            application/json:
              schema:
                oneOf:
                - $ref: '#/components/schemas/AuthorizationCodeGrantTokenResponse'
                - $ref: '#/components/schemas/ClientCredentialsGrantTokenResponse'
        '400':
          description: If the request is missing required parameters or has invalid parameters, the client will receive either
            an 'invalid_request' or 'invalid_scope' response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: invalid_request
                  error_description:
                    type: string
                    example: missing redirect uri
        '401':
          description: If the client associated with the initial authorization request does not match the client requesting
            the token or if the client associated with a token does not match the client requesting a token refresh, the client
            will receive an 'invalid_client' response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: invalid_client
                  error_description:
                    type: string
                    example: invalid client
        '403':
          description: If the client is not authorized to use a particular grant, the client will receive an 'unauthorized_client'
            response. If the request includes an invalid authorization code, an invalid refresh token, or an invalid redirect
            URI, the client will receive an 'invalid_grant' response.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: invalid_grant
                  error_description:
                    type: string
                    example: authorization code has expired
  /company-info:
    get:
      summary: Retrieve Company Info
      description: After a client application has obtained an access token, it can make a request to the /company-info endpoint
        to get company-related information and entitlements associated with the token.
      operationId: oauth-company-info
      tags:
      - Resources
      parameters:
      - $ref: '#/components/parameters/XAsUserEmail'
      - $ref: '#/components/parameters/XAsUserId'
      responses:
        '200':
          description: '200'
          content:
            application/json:
              schema:
                type: object
                properties:
                  companyId:
                    type: string
                    description: The unique identifier of the company associated with the token.
                    example: 6013609108b8f070cee94fc1
                  companyName:
                    type: string
                    description: The internal name of the company.
                    example: Example Company Inc.
                  companyDisplayName:
                    type: string
                    description: The display name of the company shown in the Ironclad UI.
                    example: Example Company
                  entitlements:
                    type: object
                    description: A map of entitlement keys to their configuration and current value. Each value describes
                      an entitlement and whether it is enabled.
                    additionalProperties:
                      type: object
                      description: An entitlement entry.
                      properties:
                        name:
                          type: string
                          description: The display name of the entitlement.
                        description:
                          type: string
                          description: A human-readable description of the entitlement.
                        type:
                          type: string
                          description: The data type of the entitlement value.
                          enum:
                          - boolean
                        value:
                          type: boolean
                          description: Whether the entitlement is enabled for the company.
                      required:
                      - name
                      - description
                      - type
                      - value
                    example:
                      jurist:
                        name: Jurist
                        description: Ironclad AI Assistant
                        type: boolean
                        value: true
                required:
                - companyId
                - companyName
                - companyDisplayName
                - entitlements
        '401':
          description: '401'
          content:
            application/json:
              schema:
                oneOf:
                - $ref: '#/components/schemas/InvalidTokenError'
                - $ref: '#/components/schemas/RevokedTokenError'
                - $ref: '#/components/schemas/ExpiredTokenError'
        '403':
          description: The token is valid but does not have access to the requested company. This can occur when the company
            associated with the token is inactive or cannot be resolved.
          content:
            application/json:
              schema:
                type: object
                properties:
                  code:
                    type: string
                    example: FORBIDDEN
        '404':
          description: '404'
          content:
            application/json:
              schema:
                type: object
                properties:
                  code:
                    type: string
                    example: NOT_FOUND
  /userinfo:
    get:
      summary: Retrieve Token User Info
      description: After a client application has obtained an access token, it can make a request to the /userinfo endpoint
        to get user-related information. The data returned include the user's ID, email, username, and other profile details
        along with the scopes granted to the token.
      operationId: oauth-userinfo
      tags:
      - Resources
      parameters:
      - $ref: '#/components/parameters/XAsUserEmail'
      - $ref: '#/components/parameters/XAsUserId'
      responses:
        '200':
          description: '200'
          content:
            application/json:
              schema:
                type: object
                properties:
                  sub:
                    type: string
                    description: Subject identifier as defined by the OIDC specification. Equal to the user's Ironclad ID.
                    example: 63d415e0dd0d828c3a878548
                  id:
                    type: string
                    example: 63d415e0dd0d828c3a878548
                  email:
                    type: string
                    example: user@example.com
                  username:
                    type: string
                    example: username
                  firstName:
                    type: string
                    example: John
                  lastName:
                    type: string
                    example: Doe
                  displayName:
                    type: string
                    example: John Doe
                  title:
                    type: string
                    example: Software Engineer
                  companyId:
                    type: string
                    example: 6013609108b8f070cee94fc1
                  companyName:
                    type: string
                    example: Example Company
                  scopes:
                    type: array
                    items:
                      type: string
                    example:
                    - public.records.readRecords
                    - public.records.createRecords
                required:
                - sub
                - id
                - email
                - username
                - firstName
                - lastName
                - displayName
                - title
                - companyId
                - companyName
                - scopes
        '401':
          description: '401'
          content:
            application/json:
              schema:
                oneOf:
                - $ref: '#/components/schemas/InvalidTokenError'
                - $ref: '#/components/schemas/RevokedTokenError'
                - $ref: '#/components/schemas/ExpiredTokenError'
        '404':
          description: '404'
          content:
            application/json:
              schema:
                type: object
                properties:
                  code:
                    type: string
                    example: NOT_FOUND
components:
  parameters:
    AuthCodeResponseType:
      name: response_type
      in: query
      description: The expected response type for the request. Must be set to 'code' for the Authorization Code grant.
      required: true
      schema:
        type: string
        enum:
        - code
        example: code
    ClientId:
      name: client_id
      in: query
      description: The client ID of the client application issued at registration.
      required: true
      schema:
        type: string
        example: 6013609108b8f070cee94fc1
    RedirectUri:
      name: redirect_uri
      in: query
      description: The client applications redirect URI. Must be registered on the client application and consistent throughout
        the authorization transaction.
      required: true
      schema:
        type: string
        example: https://myapp.com/oauth/callback
    ResourceScope:
      name: scope
      in: query
      description: Specifies the level of access that your client application is requesting. It should be a space-separated
        string of Ironclad resource scopes that can be found on the client application registration page. The scopes requested
        must be equal to or a subset of the client application’s registered scopes.
      required: false
      schema:
        type: string
        example: public.records.readRecords public.records.createRecords
    State:
      name: state
      in: query
      description: An opaque value used by the client application to maintain state between the request and callback. The
        authorization server includes this value when redirecting the user back to the client application.
      required: false
      schema:
        type: string
        example: '1234567890'
    XAsUserEmail:
      name: x-as-user-email
      in: header
      description: Denotes the actor of the request. When used, the API will take into account this user's permissions and
        access. This or `x-as-user-id` is required when the associated token was produced from the Client Credentials grant
        or with legacy bearer tokens on select endpoints. More information about [permissions](https://support.ironcladapp.com/hc/en-us/articles/23063233934999-Ironclad-Permissions-Overview).
      required: false
      schema:
        type: string
        example: jane.doe@test.com
    XAsUserId:
      name: x-as-user-id
      in: header
      description: Denotes the actor of the request. When used, the API will take into account this user's permissions and
        access. This or `x-as-user-email` is required when the associated token was produced from the Client Credentials grant
        or with legacy bearer tokens on select endpoints. More information about [permissions](https://support.ironcladapp.com/hc/en-us/articles/23063233934999-Ironclad-Permissions-Overview).
      required: false
      schema:
        type: string
        example: 5f0375c4cdc1927a3c5edcd3
    ClientAuthorization:
      name: Authorization
      in: header
      description: The client ID and client secret of the client application in the format 'Basic <client_id:client_secret>'
        where client ID and secret are base64 encoded. Required if not provided in the request body.
      required: false
      schema:
        type: string
        example: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
  requestBodies:
    TokenRequestBody:
      content:
        application/json:
          schema:
            oneOf:
            - type: object
              properties:
                grant_type:
                  description: The grant type for the request. Must be set to 'authorization_code' for the Authorization Code
                    grant initial token request.
                  type: string
                  enum:
                  - authorization_code
                  example: authorization_code
                code:
                  description: The authorization code received from the authorization server.
                  type: string
                  example: 63d415e0dd0d828c3a878548
                redirect_uri:
                  description: The client applications redirect URI. Must be registered on the client application and consistent
                    throughout the authorization transaction.
                  type: string
                  example: https://myapp.com/oauth/callback
                client_id:
                  description: The client ID of the client application issued at registration. Required if not provided in
                    the Authorization header.
                  type: string
                  example: 6013609108b8f070cee94fc1
                client_secret:
                  description: The client secret of the client application issued at registration. Required if not provided
                    in the Authorization header.
                  type: string
                  example: 346423435cdsfad786578adf
              required:
              - grant_type
              - code
              - redirect_uri
            - type: object
              properties:
                grant_type:
                  description: The grant type for the request. Must be set to 'refresh_token' for the Authorization Code grant
                    refresh token request.
                  type: string
                  enum:
                  - refresh_token
                  example: refresh_token
                refresh_token:
                  description: The refresh token received from the authorization server for the access token being refreshed.
                  type: string
                  example: 63d415e0dd0d828c3a878548
                scope:
                  description: Specifies the level of access that your client application is requesting. It should be a space-separated
                    string of Ironclad resource scopes that can be found on the client application registration page. The
                    scopes requested must be equal to or a subset of the client application’s registered scopes and the previously
                    granted scopes. When ommitted, the previously granted scopes are used.
                  type: string
                  example: public.workflows.readWorkflows public.workflows.createWorkflows
                client_id:
                  description: The client ID of the client application issued at registration. Required if not provided in
                    the Authorization header.
                  type: string
                  example: 6013609108b8f070cee94fc1
                client_secret:
                  description: The client secret of the client application issued at registration. Required if not provided
                    in the Authorization header.
                  type: string
                  example: 346423435cdsfad786578adf
              required:
              - grant_type
              - refresh_token
            - type: object
              properties:
                grant_type:
                  description: The grant type for the request. Must be set to 'client_credentials' for the Client Credentials
                    grant token request.
                  type: string
                  enum:
                  - client_credentials
                  example: client_credentials
                scope:
                  description: Specifies the level of access that your client application is requesting. It should be a space-separated
                    string of Ironclad resource scopes that can be found on the client application registration page. The
                    scopes requested must be equal to or a subset of the client application’s registered scopes.
                  type: string
                  example: public.workflows.readWorkflows public.workflows.createWorkflows
                client_id:
                  description: The client ID of the client application issued at registration. Required if not provided in
                    the Authorization header.
                  type: string
                  example: 6013609108b8f070cee94fc1
                client_secret:
                  description: The client secret of the client application issued at registration. Required if not provided
                    in the Authorization header.
                  type: string
                  example: 346423435cdsfad786578adf
              required:
              - grant_type
  schemas:
    InvalidTokenError:
      type: object
      properties:
        code:
          type: string
          example: UNAUTHORIZED
        message:
          type: string
          example: invalid authentication token
    RevokedTokenError:
      type: object
      properties:
        code:
          type: string
          example: UNAUTHORIZED
        message:
          type: string
          example: token has been revoked
    ExpiredTokenError:
      type: object
      properties:
        code:
          type: string
          example: UNAUTHORIZED
        message:
          type: string
          example: token has expired
    AuthorizationCodeGrantTokenResponse:
      description: Response for an Authorization Code grant token request. Will include the token scope if scope was requested.
      type: object
      properties:
        token_type:
          type: string
          example: Bearer
        access_token:
          type: string
          example: 63d415e0dd0d828c3a878548
        refresh_token:
          type: string
          example: 42353hj5hj453lhgff245323
        expires_in:
          type: integer
          example: 3600
        scope:
          type: string
          example: public.workflows.readWorkflows public.workflows.createWorkflows
      required:
      - token_type
      - access_token
      - refresh_token
      - expires_in
    ClientCredentialsGrantTokenResponse:
      description: Response for an Client Credentials grant token request. Will include the token scope if scope was requested.
      type: object
      properties:
        token_type:
          type: string
          example: Bearer
        access_token:
          type: string
          example: 63d415e0dd0d828c3a878548
        expires_in:
          type: integer
          example: 3600
        scope:
          type: string
          example: public.workflows.readWorkflows public.workflows.createWorkflows
      required:
      - token_type
      - access_token
      - expires_in
tags:
- name: Authorization
  description: OAuth 2.0 authorization endpoints for token management and user authentication.
- name: Resources
  description: Resource access endpoints for retrieving user information and token details.
x-readme:
  headers: []
  explorer-enabled: true
  proxy-enabled: true
  samples-languages:
  - curl
  - node
  - ruby
  - javascript
  - python