Tokens through 2-legged OAuth authorization

Two-legged (client credential) OAuth authorization gets its name because it involves two different parties: your application and the ORCID OAuth service. It is used on the ORCID Registry in two situations:

  1. When an organization wants to use the API to search public data on the ORCID Registry or read public data on an ORCID record
  2. When an organization wants to register a webhook for a specific ORCID record using the premium member API

This process differs from the three-legged authorization in that authorization comes from ORCID, not the user. Your client sends a request directly to the ORCID API along with its client credentials, and the ORCID API grants a token based the client’s privileges. Users will not see in their account settings whether you have requested an access token to read public data on their record or registered a webhook on their record, and they will be unable to revoke access tokens.

The process

Obtaining a token using two-legged authorization is very simple: Send a call to the ORCID API specifying your client credentials data, and the API will return you a token.

An example call to obtain a token to read public data on the ORCID sandbox testing server -- replace the bold data with your own client credentials:

  https://sandbox.orcid.org/oauth/token 
  METHOD: POST
  HEADER: accept:application/json
  DATA: 
    client_id=[Your client ID]
    client_secret=[Your client secret]
    grant_type=client_credentials
    scope=/read-public

curl example: curl -i -L -H "Accept: application/json" -d "client_id=APP-NPXKK6HFN6TJ4YYI" -d "client_secret=060c36f2-cce2-4f74-bde0-a17d8bb30a97" -d "scope=/read-public" -d "grant_type=client_credentials" "https://sandbox.orcid.org/oauth/token"

You will then be returned an access token similar to the following:

  {"access_token":"4bed1e13-7792-4129-9f07-aaf7b88ba88f","token_type":"bearer",
   "refresh_token":"2d76d8d0-6fd6-426b-a017-61e0ceda0ad2","expires_in":631138518,
   "scope":"/read-public","orcid":null}

The token returned is long-lived (not expiring for approximately 20 years) and can be used to perform multiple searches or read multiple ORCID records.