Client credentials

The Client Credentials grant type uses your domain’s API Key and Secret to request an access token. You can only use this grant type from server-side to avoid exposing your API secret.

Note

If you use this grant type, the access token won’t be assigned to a specific user.

To use endpoints that require a user’s ID, complete the following steps:

1. Go to the user’s Trustpilot Business profile page.
2. Copy the User ID.
3. Provide the User ID as a header or in the request body.

Request an access token

To get an access token you need your API Key and API Secret. Method: POST https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/accesstoken

Headers

Authorization: Basic [BASE64_ENCODED(API_KEY:API_SECRET)]

Create a string by concatenating your key, a colon, and your secret. Base64 encode this resulting string.

Content-Type: application/x-www-form-urlencoded

Payload

Name	Type	Description
grant_type	Required string	Value must be set to client_credentials

Example

curl -X POST \
  "https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/accesstoken" \
  -H 'authorization: Basic <[BASE64_ENCODED(API_KEY:API_SECRET)]>' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d grant_type=client_credentials

Response

{
    access_token: "AccessToken",
    expires_in: "359999"
}

When the access token expires, issue the same request to get a new token.

Refresh an access token

Access tokens expire after 100 hours and refresh tokens expire after 30 days. When your access token expires, you can use the refresh token to generate a new access token. The Authorization Code and Password grant types return a refresh token with each new access token.

Use one of the following requests to receive a new access token: Method: POST https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/refresh

or

https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/accesstoken

Headers

Authorization: Basic [BASE64_ENCODED(API_KEY:API_SECRET)]

Content-Type: application/x-www-form-urlencoded

There are two ways to pass your API Key and secret:

1. Pass your key in the the Authorization header, using HTTP Basic authentication. This is the recommended approach.
2. Pass your key in the payload using the client_id and client_secret parameters.

Payload

Name	Type	Description
grant_type	Required string	Value must be set to refresh_token
refresh_token	Required string	The refresh token
client_id	Optional string	The API key
client_secret	Optional string	The API secret

Example

https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/refresh
grant_type=refresh_token&refresh_token=RefreshToken

Response

{
    access_token: "AccessToken",
    refresh_token: "RefreshToken"
}

Revoke a refresh token

You can revoke a refresh token. Revoking a refresh token also revokes the related access token. Use the following request to revoke a refresh token:

Method: POST https://api.trustpilot.com/v1/oauth/oauth-business-users-for-applications/revoke

Headers

Content-Type: application/x-www-form-urlencoded

Payload

Name	Type	Description
token	Required string	The refresh token

Example

token=7Xu4MQ9xsvUA0Tard2bIofnLjacrw7RL

Response

You receive a 200 response if the revocation succeeds.