Skip to main content
This is the simplest way to call the Aries API when your app only ever acts as one user. If you are building an integration that signs in on behalf of many different users — a partner/business integration — use the Authorization Code flow instead.
Only user-scoped (personal-token) clients may use this grant.
  • Allowed: personal-token clients — client IDs like ARI-PERSONAL-TK.<entropy>, which are bound to a single user. The issued token acts as that user.
  • Not allowed: business/partner clients — client IDs like ARI-PARTNER.*. These receive an unauthorized_client error and must use the interactive Authorization Code flow instead.

Prerequisites

Before you implement this flow, ensure you have:
  • A personal-token client — Register a personal-token client in Client Center / Manage Account to get a client_id (e.g. ARI-PERSONAL-TK.xxxxx) and client_secret.
  • Secure storage — Somewhere safe to keep the client_secret, such as environment variables or a secrets manager.
The client_secret is shown only once when you create the client. Copy it immediately and store it securely. If lost, regenerate it in Client Center / Manage Account.

Step 1: Request an access token

Send your credentials to the token endpoint. The endpoint accepts the request body as either application/x-www-form-urlencoded (the OAuth2 standard) or application/json. Endpoint: POST https://api.aries.com/v1/oauth2/token Request body:
FieldRequiredDescription
grant_typeYesMust be client_credentials
client_idYesYour client identifier (e.g. ARI-PERSONAL-TK.xxxxx)
client_secretYesYour client secret
Client authentication is done with these body parameters. HTTP Basic authentication is not supported for this endpoint.
curl -X POST 'https://api.aries.com/v1/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials' \
  -d 'client_id=ARI-PERSONAL-TK.xxxxx' \
  -d 'client_secret=YOUR_CLIENT_SECRET'
curl -X POST 'https://api.aries.com/v1/oauth2/token' \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "ARI-PERSONAL-TK.xxxxx",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'
async function getAccessToken() {
  const response = await fetch('https://api.aries.com/v1/oauth2/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      grant_type: 'client_credentials',
      client_id: process.env.ARIES_CLIENT_ID,
      client_secret: process.env.ARIES_CLIENT_SECRET,
    }),
  });

  if (!response.ok) {
    const err = await response.json();
    throw new Error(err.error_description || `Token request failed: ${response.status}`);
  }

  return await response.json();
}
import os
import requests

def get_access_token():
    response = requests.post(
        'https://api.aries.com/v1/oauth2/token',
        data={
            'grant_type': 'client_credentials',
            'client_id': os.environ['ARIES_CLIENT_ID'],
            'client_secret': os.environ['ARIES_CLIENT_SECRET'],
        },
    )
    response.raise_for_status()
    return response.json()


Response

A successful request returns 200 OK with the token in JSON:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 900,
  "refresh_token": "",
  "refresh_token_expires_in": 0,
  "scope": "user:information account:information"
}
FieldDescription
access_tokenA signed JWT (RS256). Send it as a bearer token on API requests.
token_typeAlways Bearer.
expires_inToken lifetime in seconds. Always 900 (15 minutes).
scopeSpace-delimited list of the client’s granted scopes.
refresh_tokenNot issued for this grant (empty string).
refresh_token_expires_inNot issued for this grant (0).
This grant does not issue refresh tokens. When the access token expires, simply request a new one from the same endpoint.

Step 2: Make authenticated API requests

Include the access token in the Authorization header for every API request.
Authorization: Bearer YOUR_ACCESS_TOKEN
curl -X GET 'https://api.aries.com/v1/users/me/accounts' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'
const { access_token } = await getAccessToken();

const accounts = await fetch('https://api.aries.com/v1/users/me/accounts', {
  headers: { 'Authorization': `Bearer ${access_token}` },
}).then(r => r.json());
token = get_access_token()['access_token']

accounts = requests.get(
    'https://api.aries.com/v1/users/me/accounts',
    headers={'Authorization': f'Bearer {token}'},
).json()
Tokens expire after 15 minutes. When you get a 401, request a new token from the token endpoint and retry.

Errors

Errors follow the standard OAuth2 error response format:
{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}
ErrorHTTP statusCause
invalid_request400Missing or invalid grant_type, client_id, or client_secret.
invalid_client401Unknown client_id, wrong client_secret, or an inactive client.
unauthorized_client403The client is a business/partner client (ARI-PARTNER.*) not permitted to use client_credentials. Use the Authorization Code flow instead.

Next steps

OAuth2 Overview

Scopes, security, rate limits, and troubleshooting.

Authorization Code Flow

Interactive redirect flow for partner/business integrations.

Token API Reference

Interactive token endpoint reference.

Quick Start

Get started in minutes.