OAuth 2.0

Basic Concepts

Authorization Server

The server responsible for issuing access tokens to the client after successfully authenticating and authorizing the client. The Authorization server is sometimes also responsible for user authentication


Possible ways a client can obtain an Access Token. OCLC support three different flows:

  • Explicit Authorization Code
  • Explicit Authorization Code + PKCE
  • Client Credential Grant


The 80 character public portion of the WSKey.


A string which represents the functionality which the client is requesting authorization to use.

Authorization Code

The unique string which represents the fact a user has successfully authenticated and the application has been granted the right to access one or more scopes for a particular institution.  Authorization Codes are exchanged by clients to obtain Access Tokens.

Access Token

A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) .

Partial scopes

An access token which is returned with only SOME of the scopes the client application requested.  

Basic Authentication

A simple authentication scheme used to protect HTTP requests. Requests contain the Authorization header with the key and secret joined by a colon and base64 encoded.

Refresh Token

A longer lived token which a client can request and allows an application to obtain a new access token without prompting the user