GoTo Developers
API Status
GoTo Developers

How to obtain an access token

Once you have created a developer application for the products you want to access, you first obtain an authorization code. The authorization code can then be sent with additional client data to generate an access token for future API calls.

IMPORTANT: To get an access token for GoToAssist Corporate see the GoToAssist Corporate API specification.

Obtaining an authorization code

  1. Choose OAuth Clients on the main menu.
  2. Open your client and copy the client ID value.
  3. Insert the client ID into the Sample URL below to replace {clientID}.
  4. Enter a valid redirect URI to replace {redirectUri}.
  5. Send the call from your browser address/search field. You are directed to the LogMeIn sign in page.
  6. If you are not already logged in, you will sign in with your credentials and must click Allow to authorize access for your API client.
  7. You are then automatically redirected to the redirect URI. The redirect URI (in the browser address bar) includes an authorization code.

NOTE: Only the scopes set in your OAuth client will be requested from your end users.

Sample URL

https://api.getgo.com/oauth/v2/authorize?client_id={clientID}&response_type=code&redirect_uri={redirectUri}

With (fake) values filled in, the call looks like:

https://api.getgo.com/oauth/v2/authorize?client_id=a2094c4f-fAk0e-4339-934f-4da2d788d0aa&response_type=code&redirect_uri=https://example.com

Allow screen sample

03 Auth code

IMPORTANT: You may see an error on the page such as 404 NOT FOUND. This is not a problem. Look at the URL in the browser. It contains the authorization code you need for the next step. It will look something like:

https://example.com/?code=iS0vynEEvRFA9i6kZ8gvNDnnOGE...

Only a small fragment of the authorization code is shown here as it is at least 10 times larger. Retain this code for the next step.

Obtain an access token

You can now send the authorization code in exchange for an access token. Each authoization code can only be exchanged once. Any subsequent attempts will result in an error.

Request an access token using a POST call. This call can be sent through Postman, using the cURL command line, or other API clients.

cURL syntax below shows the full request. Details on creating the Authorization header and the other POST data follows the code sample.

curl -X POST "https://api.getgo.com/oauth/v2/token" \
  -H "Authorization: Basic YTIwfAKeNGYtODY4YS00MzM5LTkzNGYtNGRhMmQ3ODhkMGFhOjNuYU8xMElBMmFnY3ZHKzlJOVRHRVE9PQ==" \
  -H "Accept:application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "redirect_uri=https://example.com&grant_type=authorization_code&code=iS0vynEEvRFA9i6kZ8gvNDnnOGE..."

The code value above is truncated for clarity in the example.

Authorization header

The Authorization header is created by base64-encoding the app's client ID and client secret. To encode these values, open an encoding site, for example, Base64Encode.org, and paste in the client ID, add a colon (:), and then paste in the client secret. No spaces, no quotes, no brackets. Submit the values and an encoded value is returned that will look something like:

YTIwfAKeNGYtODY4YS00MzM5LTkzNGYtNGRhMmQ3ODhkMGFhOjNuYU8xMElBMmFnY3ZHKzlJOVRHRVE9PQ==

Add this value to the Authorization header after the word Basic as shown in the cURL example above.

Data Parameters

Parameter Description Format Required
grant_type authorization_code string Yes
code authorization code string Yes
redirect_uri location where authorization code will be sent string No

Response example

IMPORTANT: The access token and refresh token values are truncated. They are large values.

{
 "access_token": "eyJraWQiOiJvYXV0aHYyLmxt666...",
  "token_type": "Bearer",
  "refresh_token": "eyJraWQiOiJvYXV0aHYyLmxt999...",
  "expires_in": 3600,
  "account_key": "9999982253621659654",
  "account_type": "",
  "email": "mister.jones@fakemail.com",
  "firstName": "Moon",
  "lastName": "Beam",
  "organizer_key": "8439885694023999999",
  "version": "3"
 }

Response data

The following is sample output.

Parameter Description
access_token OAuth access token
token_type The type of the access token (always "Bearer")
refresh_token Refresh token identifier, valid for 30 days, or until product logout
organizer_key GoTo product user organizer key
account_key GoTo product account key (may be blank)
account_type GoTo product type “personal” or “corporate” (may be missing or blank)
firstName GoTo product user organizer first name (G2M only)
lastName GoTo product user organizer last name (G2M only)
email GoTo product user organizer email (G2M only)
version The version of the access token

This access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}". E.g. for the GET Me request of the Admin API:

curl -H "Accept: application/json" \
-H "Authorization: Bearer eyJraWQ..." \
"https://api.getgo.com/admin/rest/v1/me"