Skip to main content

Authenticate with OAuth 2.0 in Postman (GraphQL API)

Updated

Purpose: Learn how to generate OAuth credentials and use Postman to obtain an access token for the Administrate GraphQL API.

Related: OAuth documentation (Developer Portal)

Mental model: OAuth and access tokens

To access the Administrate API, you must:

  1. Create a developer application (Client ID and Client Secret)
  2. Authenticate a user against an Administrate instance
  3. Receive an access token to use in API requests

Postman simplifies this process by handling the OAuth flow for you.

Contents

Generate a Client ID and Client Secret

First, create a developer application to generate your credentials.

  1. Go to https://developer.getadministrate.com/account/my-apps 
  2. Click Create application
  3. Enter a name (used when connecting the app to an instance)
  4. Set the OAuth callback URL:
    • Use your own callback URL, or
    • Use Postman’s default: https://postman-echo.com/get
  5. Optional: add a description
  6. Click Create application and copy:
    • Client ID (API Key)
    • Client Secret (API Secret)

These credentials are required to authenticate and request access tokens.

Use Postman to get an access token

Set up Postman

  1. Download and install Postman
  2. Import the provided Postman collection (OAuth 2 template)
  3. Open the request: OAuth 2 with Administrate for GraphQL

Configure OAuth settings

  1. Go to the Authorization tab
  2. Paste your:
    • Client ID
    • Client Secret
  3. Ensure the following values are set:
Callback URL: https://postman-echo.com/get
Auth URL: https://auth.getadministrate.com/oauth/authorize
Access Token URL: https://auth.getadministrate.com/oauth/token
Scope: instance
Client Authentication: Send client credentials in body

Request an access token

  1. Click Get New Access Token
  2. Enter your Administrate instance URL
  3. Log in as a valid user
  4. Approve access

Postman will return:

  • Access token (used for API requests)
  • Refresh token (used to generate new access tokens)

You can now authenticate API calls using the access token.

Note: The refresh token does not expire and can be reused to generate new access tokens.

Troubleshooting

Error: Invalid client_id parameter value

This usually means your Client ID is incorrect.

  • Copy the API Key again from your developer account
  • Update the value in Postman

Error: invalid_client

This usually means your Client Secret is incorrect.

  • Copy the API Secret again
  • Update the value in Postman
  • Check if the secret was regenerated

Related articles