Experian's APIs are secured using OAuth 2.0 protocol, which provides authentication and authorisation by access token. When a developer creates an app, a client_id and client_secret are generated. These, along with the developer's username and password, are provided to the Authorisation endpoint to get an access token. This access token is then used with each API request.

The steps below detail the process.

Step 1: Generating OAuth Access Tokens

Experian APIs implement the OAuth v2.0 password grant-type to obtain the access token. Following is a sample CURL request to obtain the access token:


curl -X POST 
-d '{ "username" : "yourname@yourdomain.com", "password": "YourPassword" }'
-H "Client_id: A8djrikjdiogogdfiusdqp84k49fjeggs9"
-H "Client_secret: vdi330dglkgpPR22ls" 
-H "Cache-Control: no-cache"
-H "Content-Type: application/json"

On successful validation of credentials, an access token will be generated.

  "issued_at": "1478105120762",
  "expires_in": "10799",
  "token_type": "Bearer",
  "access_token": "tBqZD0B5w2A7iwYTRY4Y7ePR0vfDOwg"

Step 2: Using Access Tokens

After an application obtains the access token, it sends it to an Experian API in an HTTP Authorisation header, as this avoids persisting it in client-side and server-side logs. Access tokens are valid for a limited lifetime, typically a few hours.

Below is a sample HTTP request using access token:

curl -X GET
-H "Content-type: application/json"
-H "Authorization: Bearer oABDM5cz35NpEjgJmTFwaYrhAUQK"


Step 3: Token Expiry

When you get a "401 Unauthorized" errors in response to your request, the access token may have expired and a new one should be requested. OAuth bearer tokens expiry can be calculated from the "expires_in" and "issued_at" values. If the token is JWT formatted, it can be inspected and validated (see http://www.jwt.io).