Authentication using OAuth2

Bisnode's latest APIs use OAuth2 for authentication. For all API requests, you need to supply an access token in order to authenticate yourself. To obtain such an access token you need to submit your CLIENT_ID and CLIENT_SECRET to Bisnode's authentication endpoint at The access token is then passed along in the Authorization header to all API requests. Follow the instructions below to learn how to do this.


Get and Use the Access Token

Step 1. Get the Access Token

To get an access token you need to make a POST request to using the following HTTP header: Content-Type: application/x-www-form-urlencoded and the following request body: grant_type=client_credentials&scope=bci The request must be authenticated using HTTP Basic authentication and your CLIENT_ID and CLIENT_SECRET.

Example in cURL

curl -X POST \

     -H "Content-Type: application/x-www-form-urlencoded" \

     -d 'grant_type=client_credentials&scope=bci' \



Example response


  "access_token": "eyJhb....seAtPCCQ",

  "token_type": "Bearer",

  "expires_in": 7199



Step 2. Use the Access Token

Supply your access token with all requests to the API using the HTTP Authorization header: Authorization: Bearer <your access token here> You should reuse the access token for multiple calls to the API. See the next section on recommended usage.


Example in cURL - search for person

curl -X GET \

     -H "Authorization: Bearer eyJhb...seAtPCCQ" \ 9&sourceCountry=SE


Reusing the Access Token

After you have fetched an access token you should save it and use it for subsequent calls to the API. There is no limit on the number of calls it can be used for, but it will expire after a certain time.

We recommend that you use the expires_in field to determine when to request a new access token. It specifies the number of seconds the token will be valid for. Because of possible delays in network communication as well as delays between checking the timestamp and transmitting the actual API request, it is a good idea to request a new token a few seconds before it is about to expire. This minimizes the risk of accidentally using an expired token.

The following pseudo code illustrates how to use the authentication endpoint together with the API.

function make_authorized_api_request():

    token = get_cached_access_token()

    if token == null or is_soon_to_be_expired(token):

        token = get_new_access_token()





function get_new_access_token():

    token = get_token_from_auth_endpoint()

    token.expiration_timestamp = now().add_seconds(token.expires_in)

    return token



function is_soon_to_be_expired(token):

    # Add time margin to avoid token expiring during call

    if now().add_seconds(60) >= token.expiration_timestamp:

        return true

    return false