Authentication
All Open Cosmos APIs require authentication using OAuth 2.0. This page explains the supported authentication flows and how to obtain access tokens for the DataCosmos API.
Open Cosmos uses Auth0 as its authentication provider. The Auth0 domain is login.open-cosmos.com.
Choosing the Right Flow
There are three supported authentication flows. Use the table below to decide which one applies to your situation:
| Flow | Best for | You need from Open Cosmos | You must provide |
|---|---|---|---|
| Client Credentials | Server-to-server / automated scripts, no user interaction | client_id, client_secret | Nothing |
| Authorization Code | Web apps or native apps where a user logs in | client_id | Login redirect URI, post-logout redirect URI |
| Implicit | Browser-only apps (simpler, but less secure) | client_id | Redirect URI |
NOTE
Contact the DataCosmos team to get your credentials and to confirm which flow is configured for your account.
Option 1: Client Credentials
Use this when: your application runs on a server or as a script, with no user present. The token represents your application, not an individual user.
What you need from Open Cosmos: client_id and client_secret.
This is the OAuth 2.0 Client Credentials flow. Your application exchanges its credentials directly for an access token, without any user interaction.
Request an access token
Send a POST request to the token endpoint:
POST https://login.open-cosmos.com/oauth/token
Content-Type: application/json
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"audience": "https://beeapp.open-cosmos.com",
"grant_type": "client_credentials"
}
Save these credentials to data_cosmos_api_credentials.json in your working directory.
Bash
DATACOSMOS_ACCESS_TOKEN=$(curl --request POST "https://login.open-cosmos.com/oauth/token" \
--header "Content-Type: application/json" \
-d @data_cosmos_api_credentials.json | jq -r ".access_token")
echo $DATACOSMOS_ACCESS_TOKEN
Python
Requests example
import json
import requests
with open("data_cosmos_api_credentials.json") as fp:
oauth_body = json.load(fp)
session = requests.Session()
req = session.post(
"https://login.open-cosmos.com/oauth/token",
data=oauth_body
).json()
session.headers.update(
{"Authorization": f'{req["token_type"]} {req["access_token"]}'}
)
print(req["access_token"])
Oauthlib example
Requires installation of the Requests OAuthlib package.
import json
from oauthlib.oauth2 import BackendApplicationClient
from requests_oauthlib import OAuth2Session
with open("data_cosmos_api_credentials.json") as fp:
credentials = json.load(fp)
client = BackendApplicationClient(client_id=credentials["client_id"])
session = OAuth2Session(client=client)
session.fetch_token(
token_url="https://login.open-cosmos.com/oauth/token",
client_id=credentials["client_id"],
client_secret=credentials["client_secret"],
audience=credentials["audience"],
)
Option 2: Authorization Code
Use this when: your application is a web app or native app where a real user needs to log in. The token represents the authenticated user.
What you need from Open Cosmos: client_id.
What you must provide to Open Cosmos: the redirect URI(s) your application uses after login.
This is the OAuth 2.0 Authorization Code flow. The user is redirected to Open Cosmos's login page, authenticates, and is then redirected back to your application with an authorization code. Your server exchanges the code for an access token.
For added security in public clients (e.g. single-page apps), use the Authorization Code flow with PKCE.
Step 1: Redirect the user to the authorization endpoint
GET https://login.open-cosmos.com/authorize
| Parameter | Value |
|---|---|
response_type | code |
client_id | Your client_id |
redirect_uri | Your registered callback URL |
audience | https://beeapp.open-cosmos.com |
scope | openid profile email (adjust as needed) |
state | A random value to protect against CSRF |
Example URL:
https://login.open-cosmos.com/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&audience=https%3A%2F%2Fbeeapp.open-cosmos.com&scope=openid%20profile%20email&state=<random_state>
Step 2: Handle the callback
After the user authenticates, they are redirected to your redirect_uri with a code parameter:
https://<redirect_uri>?code=<authorization_code>&state=<state>
Verify that the state matches the value you sent in Step 1.
Step 3: Exchange the code for an access token
Send a POST request from your server to the token endpoint:
POST https://login.open-cosmos.com/oauth/token
Content-Type: application/x-www-form-urlencoded
| Parameter | Value |
|---|---|
grant_type | authorization_code |
client_id | Your client_id |
code | The authorization code from Step 2 |
redirect_uri | The same redirect URI used in Step 1 |
The response contains an access_token you can use as a bearer token in API requests.
Python example
import requests
# Step 3: Exchange code for token (run server-side)
response = requests.post(
"https://login.open-cosmos.com/oauth/token",
data={
"grant_type": "authorization_code",
"client_id": "<client_id>",
"code": "<authorization_code>",
"redirect_uri": "<redirect_uri>",
},
)
token_data = response.json()
access_token = token_data["access_token"]
TIP
Most web frameworks have OAuth 2.0 libraries that handle the redirect, state verification, and token exchange for you. See Auth0's quickstarts for guides in your language or framework.
Option 3: Implicit (Legacy)
WARNING
The Implicit flow is simpler, but less secure than the Authorization Code flow. Use Authorization Code for new integrations where possible.
Use this when: you have a legacy browser-only application that cannot use the Authorization Code flow.
What you need from Open Cosmos: client_id.
What you must provide to Open Cosmos: the redirect URI your application uses after login.
In this flow the access token is returned directly in the URL fragment after the user authenticates. No client secret is required, and no server-side token exchange takes place.
Authorization request
https://login.open-cosmos.com/authorize?response_type=token&client_id=<client_id>&redirect_uri=<redirect_uri>&audience=https%3A%2F%2Fbeeapp.open-cosmos.com
After login, the browser is redirected to your redirect_uri with the token in the URL fragment:
https://<redirect_uri>#access_token=<token>&token_type=Bearer&expires_in=86400
Use the access_token value as the bearer token in API requests.
Using the Access Token
Regardless of which flow you use, include the access token as a bearer token in the Authorization header of every API request:
Authorization: Bearer <access_token>
Where to Next