API Authentication & Authorization Last updated June 2, 2026 · Desktop Connect

Prodoscore provides two authentication methods for API access: Login API (standard OAuth 2.0) and Browser Token (temporary, for quick testing).

Method 1: Login API (OAuth 2.0)

Overview: The Login API issues short-lived access tokens and long-lived refresh tokens, allowing your application to authenticate programmatically without hardcoding passwords.

Step 1: Get Your Client ID

Your Client ID is your Prodoscore Customer ID. Find it in the portal:

Click your profile icon (top right) > Account Settings or Customer ID
Your Customer ID is displayed. This is your client_id for API calls.

Step 2: Request an Access Token

Send a POST request to the token endpoint:

POST https://auth.ag.prodoscore.com/realms/ind-prod/protocol/openid-connect/token

Content-Type: application/x-www-form-urlencoded

client_id=YOUR_CUSTOMER_ID
&username=USER_EMAIL
&password=USER_PASSWORD
&grant_type=password

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR...",
  "expires_in": 36000,
  "refresh_expires_in": 604800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR...",
  "token_type": "Bearer"
}

The access_token is valid for 10 hours (36000 seconds). The refresh_token is valid for 7 days and can be used to get a new access token without re-authentication.

Step 3: Use the Access Token in API Requests

Include the token in the Authorization header of all subsequent API calls:

Authorization: Bearer YOUR_ACCESS_TOKEN

Step 4: Refresh Your Token (Optional)

Before your access token expires, use the refresh token to get a new one:

POST https://auth.ag.prodoscore.com/realms/ind-prod/protocol/openid-connect/token

Content-Type: application/x-www-form-urlencoded

client_id=YOUR_CUSTOMER_ID
&grant_type=refresh_token
&refresh_token=REFRESH_TOKEN

Method 2: Browser Token (Temporary)

For quick testing or one-off API calls, you can extract your session token directly from the browser:

1 Log in to the Prodoscore portal

2 Open Developer Tools (F12 on Windows/Linux, Cmd+Option+I on Mac)

3 Click the Network tab

4 Refresh the page (Ctrl+R or Cmd+R)

5 Find any API request (e.g., to api.ag.prodoscore.com) and click it

6 In the Request Headers section, find the Authorization header

7 Copy the full value (e.g., "Bearer eyJhbGci...")

Use this token immediately in your API calls. Browser tokens expire when your session ends (typically when you log out or close the browser).

Security Best Practices

Never expose tokens: Treat access tokens and refresh tokens like passwords. Do not commit them to version control, log them in error messages, or share them via email.

Use environment variables: Store tokens and client IDs in environment variables or a secure secrets manager (like AWS Secrets Manager, HashiCorp Vault, etc.), never hardcoded in your application code.

Implement token rotation: Use refresh tokens to regularly get new access tokens. Do not reuse the same access token indefinitely.

Method 1: Login API (OAuth 2.0)

Method 2: Browser Token (Temporary)

Security Best Practices

Do you love good content?

Check out this week’s blog

Got 2 Minutes? See how Prodoscore simplifies your most complex workforce decisions.