1. Home
  2. Developers
  3. VAT Number Validation API
  4. API Documentation

Request an OAuth 2.0 Access Token

Each API call requires you to send an Access Token. The Access Token is used to identify the caller of the API. Valdit APIs always use OAuth 2.0 Access Tokens. They can be obtained using one of the standardized OAuth 2.0 flows. In this example we will use the Client Credentials flow.

Your Client Credentials

If all went well, you have received a set of “client credentials”, in the form of a client identifier and a client secret, when this document was supplied to you. You will need them for this example. If you don’t have client credentials at hand, you can request them by sending an email to support@valdit.com using ‘Request for Sandbox Client Credentials’ as subject. Make sure you include your own VAT Number. We will send you a reply within two business hours.

Build a HTTP basic Authorization header

Calling the API involves making HTTP requests. We presume you will use a HTTP client library. Most HTTP client libraries have built-in support for Basic Authentication. However, to make sure that you can correctly make the call to retrieve the token, this section explains how to build your own Basic Authorization Header.

The Authorization Header must follow the standards for HTTP Basic Authentication and thus contains ‘Basic ‘ followed by a Base64 encoded version of [client_id]:[client_secret]. If, for example, you have received the following credentials:

client_id: myclientid

client_secret : myvery\$ecretpw

You need to concatenate them using a : like this:

myclientid:myvery\$ecretpw

and then Base64encode that string1, which will result in:

bXljbGllbnRpZDpteXZlcnkkZWNyZXRwdw==

The full Basic Authorization header will be:

Authorization: Basic bXljbGllbnRpZDpteXZlcnkkZWNyZXRwdw==

Request the token

Having built the Authorization header, you are ready to request the token. You request the token by making a HTTP POST request at the token endpoint: https://developer.valdit.com/identity/connect/token. Insert the Authorization header created in the previous step. Set the Content-Type to application/x-www-form-urlencoded and set the body of your POST to:

 grant_type=client_credentials&scope=vatnumberchecks:read vatnumberchecks:write
 addresses:geocode

The body should be placed on one line. Remember to url-encode the body2 to match the Content-type. The resulting raw version of the HTTP request is:

POST https://developer.valdit.com/identity/connect/token HTTP/1.1
Host: developer.valdit.com
Authorization: Basic bXljbGllbnRpZDpteXZlcnkkZWNyZXRwdw==
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=vatnumberchecks%3Aread+vatnumberchecks%3Awrite+
addresses%3Ageocode

Below is an example on how this call can be made using the cURL3 command-line tool, but any standards compliant HTTP client can be used:

 curl -H "Authorization: Basic bXljbGllbnRpZDpteXZlcnkkZWNyZXRwdw==" -d 
 "grant_type=client_credentials&scope=vatnumberchecks:read vatnumberchecks:write 
 addresses:geocode" "https://developer.valdit.com/identity/connect/token"

This request will get you a response with the body containing a JSON object similar to the following:

 { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz.......................", 
 "expires_in": 3600, "token_type": "Bearer" }

The access_token element contains the requested token. The example above displays only a part of the ‘real’ token, it can contain more than 1000 characters. Save the full token (everything between " and “), as you will need it in the next step.

  1. You can e.g. use https://www.base64encode.org/ to Base64encode strings ↩︎

  2. You can use the free URL Encoder/Decoder at http://meyerweb.com/eric/tools/dencoder/ for example. ↩︎

  3. cURL is a free, open source command line tool and library for transferring data with URL syntax that runs under various operating systems. More info and downloads are available on https://curl.haxx.se/ ↩︎