API authentication without logging into Brightspace via browser

Kim.B.954 Posts: 4 🌱

We are looking to use Java to automate a job to export data from Brightspace using the Brightspace Data Sets in the Data Hub for analysis and reporting but the OAuth 2.0 authentication steps require us to login to Brightspace within an internet browser. We would like to know if it is possible to make REST API calls from Java directly to Brightspace without requiring the SSO login. How are other schools authenticating to use the valence APIs? Is it possible to bypass the "login to browser" step? I submitted a D2L support case and was told there is no way around this. This is a roadblock for us at this point.


  • Jason.W.277
    Jason.W.277 Posts: 4 🌱

    Hi Kim,

    I use the User ID-key authentication method, and then use the key tool to generate and display the user ID and key for a specific app, and then store them as environment variables on our server. As long as you do not change the password on the account that you're using, the user ID and key remains the same, so I would recommend creating an account in D2L for no other purpose to ensure there isn't a reason to reset it. So in this setup, you only need to login through the browser the very first time to generate the user ID and key.


  • Renee.J.194
    Renee.J.194 Posts: 109 ✨

    @Jason.W.277 and @Kim.B.954 , a problem I have had to work around is that our regular login URL redirects to our SAML identity provider. The special d2l-only account for the app will not be in the SIS, so I need to inject a no-redirect URL into the process.

  • Kim.B.954
    Kim.B.954 Posts: 4 🌱

    @Renee.J.194 and @Jason.W.277 thanks for the feedback! We ran into the same issue with having to find a work around for the no-redirect URL.

  • William.S.330
    William.S.330 Posts: 2 πŸ”
    Hello, so when getting an initial token that is correct you must validate VIA browser but after getting an initial token you can use that token until it expires. Once it is expired you can use your refresh token to get a new access token. The SSO authentication will only be used for the initial process. However, if this discussion post is in regards to postman having an SSO error (I had the same error) you can get new access tokens through OAuth2.0 client shell mentioned in this community post https://community.d2l.com/brightspace/kb/articles/1196-how-to-obtain-an-oauth-2-0-refresh-token
  • Kim.B.954
    Kim.B.954 Posts: 4 🌱

    @Jason.W.277 are you able to login through the browser via the no-redirect URL using User ID-key auth or were you forced to login via SSO?

  • Biff.B.691
    Biff.B.691 Posts: 2 πŸ”
    I'm looking for an alternative also, none of the machines we have that will be using the APIs even have a desktop environment to open a browser from.
  • Alison.F.745
    Alison.F.745 Posts: 2 🌱
    edited February 14

    Hi Kim,

    At our college we have a specific account for web services calls. Then we registered an OAuth 2.0 application in Admin Cog > Manage Extensibility > OAuth 2.0. Then in a browser we go to


    Then sign in as the dedicated web services account. You will then be redirected to the redirect_uri and given an authorization code.

    You can then make a post request to


    With the following in the body:

    grant_type: authorization_code



    EDIT: The client id and client secret need to be in an Authorization header as a base64 encoded ("client_id:client_secret") token, Basic Auth
    "Authorization: Basic [base64_encoded_string]"

    With that call you will get a refresh token and an access token. We have a django server dedicated for this that makes a call to refresh the access token every hour. This way we do not have to re-authenticate with the account password. We have been running for months like this and have not had to log back in.

    Call to refresh token:

    POST request to:


    grant_type: refresh_token

    refresh_token: REFRESH_TOKEN

    scope: SCOPE_HERE

    EDIT: The client id and client secret need to be in an Authorization header as a base64 encoded ("client_id:client_secret") Bearer token, Basic Auth
    "Authorization: Basic [base64_encoded_string]"

    I'm happy to help and give more specifics on our set up. Hope this helps!

    Alison Figueira, Marist College

  • Phyllis.S.916
    Phyllis.S.916 Posts: 2 🌱

    We use ID Key Authorization to call APIs to download data hub data sets for report analysis. It's the same process as yours. We also use Java. It works very well.