Falcor API Using your API

Community maintained

Calling the API from your application

You can call the API from your client application by passing an Access Token in the Authorization header of your HTTP request as a Bearer token.

curl --request GET \
  --url http://localhost:3010/api/private \
  --header 'authorization: Bearer YOUR_ACCESS_TOKEN'
var client = new RestClient("http://localhost:3010/api/private");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer YOUR_ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "http://localhost:3010/api/private"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("authorization", "Bearer YOUR_ACCESS_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.get("http://localhost:3010/api/private")
  .header("authorization", "Bearer YOUR_ACCESS_TOKEN")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "http://localhost:3010/api/private",
  "method": "GET",
  "headers": {
    "authorization": "Bearer YOUR_ACCESS_TOKEN"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'GET',
  url: 'http://localhost:3010/api/private',
  headers: { authorization: 'Bearer YOUR_ACCESS_TOKEN' } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer YOUR_ACCESS_TOKEN" };

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"http://localhost:3010/api/private"]
[request setHTTPMethod:@"GET"];
[request setAllHTTPHeaderFields:headers];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_PORT => "3010",
  CURLOPT_URL => "http://localhost:3010/api/private",
    "authorization: Bearer YOUR_ACCESS_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPConnection("localhost:3010")

headers = { 'authorization': "Bearer YOUR_ACCESS_TOKEN" }

conn.request("GET", "/api/private", headers=headers)

res = conn.getresponse()
data = res.read()

require 'uri'
require 'net/http'

url = URI("http://localhost:3010/api/private")

http = Net::HTTP.new(url.host, url.port)

request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer YOUR_ACCESS_TOKEN'

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer YOUR_ACCESS_TOKEN"]

var request = NSMutableURLRequest(URL: NSURL(string: "http://localhost:3010/api/private")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "GET"
request.allHTTPHeaderFields = headers

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse


The exact implementation will be dependent on the type of application you are developing and the framework you are using. For more information refer to the relevant client Quickstarts which contain detailed instructions:

Obtaining an Access Token for testing

If you want to test your API outside your application, for example from the command line or a tool like Postman, you can obtain an Access Token using the Authentication API Debugger Extension or from the Test tab in your API settings.

You can also obtain an Access Token using cUrl by using the Client Credentials or Resource Owner Password authorization flows.

1. Using Client Credentials

curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/oauth/token' \
  --header 'content-type: application/json' \
  --data '{ "client_id":"YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "audience": "YOUR_API_AUDIENCE", "grant_type": "client_credentials" }'

When using the Client Credentials flow, you will need to register a Non Interactive Client. You should then subsequently use the Client ID and Client Secret of this Non Interactive Client when making the request shown above and pass those along in the client_id and client_secret parameters respectively.

2. Using Resource Owner Password

curl --request POST \
  --url 'https://YOUR_AUTH0_DOMAIN/oauth/token' \
  --header 'content-type: application/json' \
  --data '{ "client_id":"YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "audience": "YOUR_API_AUDIENCE", "grant_type": "password", "username": "USERNAME", "password": "PASSWORD", "scope": "SCOPE" }'

Test Your API with cURL

You can test your API using cURL using an Access Token you obtained before.

1. Calling the secure endpoint

You can make a request to the /api/private endpoint without passing any Access Token:

curl -i http://localhost:3010/api/private

The API will return a 401 HTTP (Unauthorized) status code:

Response for unauthorized API request

Once again, make the same request but this time pass along the Access Token as a Bearer token in the Authorization header of the request:

curl -i http://localhost:3010/api/private \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

This time the API will return a successful response:

Response for authorized API request

2. Testing the scoped endpoint

To test the endpoint that require a scope, pass the Access Token containing the correct scope as a Bearer token in the Authorization header:

curl -i http://localhost:3010/api/private-scoped \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

If the required scope is present, the API call is successful:

Response for scoped API request

If the required scope is not present, the API returns a 403 HTTP Status (Forbidden):

Response for forbidden scoped API request

Previous Tutorial
1. Authentication
Was this article helpful?
Use Auth0 for FREECreate free Account