GoTo Developer

How to obtain an OAuth access token

Here is a small guide to manually get an access token for your local tests.

IMPORTANT: To get an access token for GoToAssist Corporate see the GoToAssist Corporate API specification.

Obtaining an Authorization Code

  1. Choose OAuth Clients on the main menu.
  2. Open your client and copy the client ID value.
  3. Insert the client ID into the sample URL below to replace {clientID}.
  4. Enter a valid redirect URI to replace {redirectUri}. This value is optional but recommended to prevent the wrong URI to be used.
  5. Send the call from your browser address/search field. You are directed to the GoTo sign in page.
  6. If you are not already logged in, you will sign in with your credentials and must click Allow to authorize access for your API client.
  7. You are then automatically redirected to the redirect URI. The redirect URI (in the browser address bar) includes an authorization code.

NOTE: Only the scopes set in your OAuth client will be requested from your end users.

Sample URL{clientID}&response_type=code&redirect_uri={redirectUri}

With (fake) values filled in, the call looks like:

Allow Screen Sample

03 Auth code

IMPORTANT: You may see an error on the page such as 404 NOT FOUND. This is not a problem. Look at the URL in the browser. It contains the authorization code you need for the next step. It will look something like:

Retain this code for the next step.

Obtain an Access Token

You can now send the authorization code in exchange for an access token. Each authorization code can only be exchanged once. Any subsequent attempts will result in an error.

Request an access token using a POST call. This call can be sent through Postman, using the cURL command line, or other clients.

cURL syntax below shows the full request. Details on creating the Authorization header and the other POST data follows the code sample.

curl -X POST "" \
  -H "Authorization: Basic YTIwfAKeNGYtODY4YS00MzM5LTkzNGYtNGRhMmQ3ODhkMGFhOjNuYU8xMElBMmFnY3ZHKzlJOVRHRVE9PQ==" \
  -H "Accept:application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "redirect_uri="

The code value above is truncated for clarity in the example.

Authorization header

The Authorization header is created by base64-encoding the app's client ID and client secret. To encode these values, open an encoding site, for example,, and paste in the client ID, add a colon (:), and then paste in the client secret. No spaces, no quotes, no brackets. Submit the values and an encoded value is returned that will look something like:


Add this value to the Authorization header after the word Basic as shown in the cURL example above.

Data Parameters

Parameter Description Format Required
grant_type authorization_code string Yes
code authorization code string Yes
redirect_uri location where authorization code will be sent string Yes

Response example

IMPORTANT: The access token and refresh token values are truncated. They are large values.

  "access_token": "eyJraWQiOiJvYXV0aHYyLmxt666...",
  "token_type": "Bearer",
  "refresh_token": "eyJraWQiOiJvYXV0aHYyLmxt999...",
  "expires_in": 3600,
  "scope": " calls.v2.initiate",
  "principal": ""

Response data

The following is sample output.

Parameter Description
access_token OAuth access token
token_type The type of the access token (always "Bearer")
refresh_token Refresh token identifier, valid until product logout
expires_in The period, in seconds, until the access token expires
scope The allowed scope(s) for the issued token, separated by a whitespace
principal The email identifier that owns the token

This access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}". E.g. for the GET Me request of the SCIM API, which will provide useful information about the authenticated user:

curl -H "Accept: application/json" \
-H "Authorization: Bearer eyJraWQ..." \