Google is committed to advancing racial equity for Black communities. See how.

Using get_token

The get_token utility lets you exchange your Apigee credentials for an access and refresh token that you can then use to access Apigee management APIs. Unlike acurl, get_token simply gets and stores tokens on your disk. It's up to you to add a valid token in your requests and get a new token when yours expires.

You use access tokens to call the management API with the OAuth, SAML, or LDAP workflows.

Prerequisite: Before you can use get_token, you must install it.

get_token syntax

The get_token utility uses the following syntax:

get_token -u email_address[:password] [-m mfa_code] [-p passcode]


Element Required? Description
email_address Required (first time only) The email address associated with your Apigee account. You must pass your email address in the first time you call get_token. You will not need to pass your email address in again until the access and refresh tokens have expired.
password Optional The password for your Apigee account. If you omit the password, you will be prompted to enter it. If you do not want to use your password directly in the command, you can use a one-time code passcode instead of your password (SAML only).
mfa_code Optional A temporary code that you must pass to get_token if you have enabled multi-factor authentication (MFA). If you do not have MFA enabled, you can omit this option.
passcode Optional A one-time passcode, which you can use in place of a password. You can use a passcode only when authenticating with a SAML IDP. You can not use a passcode to authenticate with an LDAP IDP.

For example:

get_token -u
get_token -u -p 123456
get_token -u -m 424242
get_token -u -m 424242

A successful call prints a valid access token to stdout and stores both the access and refresh tokens in ~/.sso-cli. You can use these tokens until they expire, as described in Token expiration.

After your first successful call to get_token, you do not need to include your credentials until the tokens have expired.

Call get_token for the first time

If you don't specify any options, get_token will prompt you for your username (email address), password or passcode, and a temporary multi-factor authentication (MFA) code on your first call:

  • (SAML only) To use a passcode instead of a password, press ENTER when prompted for a password.
  • If you don't use MFA, press ENTER when prompted for an MFA code.

The following example calls get_token for the first time and uses an MFA code instead of a password for authentication:

Enter username:
Enter the password for user ''
Enter the six-digit code if '' is MFA enabled or press ENTER:


To skip entering a passcode, press ENTER when prompted for the passcode.

Add your access token to a request

After you successfully call get_token, you can use the access token by passing it in the Authorization header of your calls to the management API. You can do this in different ways, including:

  • Copy the contents of the get_token response and insert it directly into your header:
    curl -v \
      -H "Authorization: Bearer B42CnTIYPxr...88NI5Q"
  • Combine commands to get the token and add it to the header:
    token=`get_token`; curl -H "Authorization: Bearer $token" \

    Note that get_token is surrounded by backticks (rather than single quotes) so that it is executed.

  • Call get_token within the curl call:
    curl -H "Authorization: Bearer `get_token`" \

    Note that get_token is surrounded by backticks (rather than single quotes) so that it is executed.

These sample requests get details about the "ahamilton-eval" organization. For a complete list of management API endpoints, see Apigee API Reference.

Use get_token with OAuth2, SAML, and LDAP

The get_token utility can be used in the OAuth2, SAML, and LDAP flows to get an access token and to refresh it.

However, if you use more than one flow, you may need to use a separate machine or get new tokens periodically. For more information, see Use OAuth2 and SAML or LDAP at the same time.