Maintenance required - Friday January 22nd 12pm (PT)

Support Central will be briefly offline on Friday January 22nd from 12:00 pm (PT) while we make improvements and upgrades to this site.

You are here

Testing your OAuth integration against the APIDEV instance

Monday, 27 January, 2020

APIDEV OAuth token policy has been updated to match production instances and can be found at:


OAuth Access Token Expiry: 1 Hour

The Access Token (AT) is valid for one hour. When an AT is refreshed, new (AT, RT) are provided.

OAuth Refresh Token Expiry: 1 Week

A Refresh Token (RT) is used to obtain a new AT. A valid RT can be used to obtain new (AT, RT) even if the current AT has expired. If (AT, RT) aren’t refreshed within the RT expiry period then the user would have to re-authenticate.

OAuth Refresh Grant Expiry: Never

When the refresh grant expires then the user has to re-authenticate regardless of the RT validity.


Several test user logins (across various organizations) have been configured with access to a test project called 'Hotel VIP'. All users have been pre-configured with access to web services.

Organization                                Name                            Login Name                Password

Majestic Builders                          Doc Controller               dcontroller                   Auth3nt1c

Majestic Builders                          Patrick O’Leary             poleary                        Auth3nt1c

Splice Architecture                       Rajesh Singh                 rsingh                          Auth3nt1c

Splice Architecture                       Antony Taylor                 ataylor                        Auth3nt1c

Enzice Consulting Engineers       Neil Churchill                 nchurchill                   Auth3nt1c

Enzice Consulting Engineers       Alice Templeton             atempleton                 Auth3nt1c

The Project ID for the Hotel VIP test project is: 1879048400

API Keys

When using Aconex APIs, an API key is required in addition to Aconex login credentials. Add your API key to your Aconex API request headers as shown below. Note the difference in the header name for each application.

    Main (Core) Application

    X-Application-Key: 0c3d68fa-4348-4eee-8a1b-eff1c7b2f030

    Field Application

    X-Application: 7cb1cce3-8d8e-4d93-907e-959af432c79c

OAuth test details

This is the test information you need to create an access token on APIDEV:

One-step and two-step verification (1SV and 2SV)

Note: The ‘Client Secret’ can no longer be left blank, as was previously allowed.


      Client ID: apitest

      Client Secret (applicable from 27 Jan 2020): Qqt8VmTY9vzfDfTynHYM

      Token Endpoint: {base url}/as/token.oauth2

      Email: [not used]

      Redirect URI: http://localhost:8089/callback

      username: jwong (use poleary for 1SV)

      password: Auth3nt1c

      TOTP secret: W3LJ GY7Q R347 IZ76 (not required for 2SV)

Single sign on (SSO)


      Client ID: apitest

      Client Secret: [not required]

      Token Endpoint: [client IDP, auto redirect]


      Redirect URI: http://localhost:8089/callback

      username: ahussein_ext

      password: Password1