Once you have created a developer application for the product you want to access, you (or your users) will need to access that product (log in) and obtain an authorization code.  The authorization code can then be sent to generate an access token.

IMPORTANT: To get an access token for GoToAssist Corporate, see How to Use Direct Login.

1 - Request Authorization Code

Create an authorization request on behalf of a GoTo product user. It sends them to a product login page.

  1. In the My Apps page, open your application and copy the Consumer Key value.
  2. Insert the Consumer Key value into the following URL to replace {consumerKey}:
  1. The product account holder sends the URL. They are directed to the sign-in page for the product.
  2. If they are not already logged in, they sign in with their credentials and must click Allow to allow access for the developer application. The user is then automatically redirected to the redirect URL you defined in the developer center application. The redirect URI (in the browser address bar) has a Response Key added to it.

IMPORTANT: You may see an error on the page such as 404 NOT FOUND. This is not a problem. Look at the URL in the browser. It contains the responseKey you need for the next step. It will look something like:


You can include an optional redirect URI and/or a state parameter. For details, see the section, Optional: Add a Redirect URI, below.

2 - Request Access Token

In the previous step you acquired a responseKey. You can now pass the responseKey on behalf of this user to request an access token and other details about the user account. Each responseKey can only be exchanged once. Any subsequent attempts will result in an error.

Request an access token using a POST call. You can use the curl API Command Line interface for this. Your request can also be sent through an API client such as Postman, or through your client application.

Curl syntax below shows the full request. Details on creating the Authorization header and the other POST data follows the code sample.

curl -X POST "https://api.getgo.com/oauth/v2/token" \
  -H "Authorization: Basic {Base64 Encoded consumerKey and consumerSecret}" \
  -H "Accept:application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code={responseKey}"

Authorization Header

The authorization header is created by base64-encoding the app's consumer key and consumer secret. To encode these values, open an encoding site (https://www.base64encode.org) and paste in the consumerKey, add a colon (:), and then paste in the consumerSecret. No spaces, no quotes, no brackets. Submit the values and an encoded value is returned that will look something like: ZXhhbXBsZV9jbGllbnRfaWQ6ZXhhbXBsZV9jbGllbnRfc2VjcmV0==. Add this value to the Authorization header after the word Basic as shown in the cURL example above.

POST Data Content

Parameter Description Format Required
grant_type authorization_code string required
code responseKey string required

Response Example

This returns an access token and user information:


Response Data

Parameter Description
access_token OAuth access token
expires_in The access token's expiration time in seconds (3600 = 60 minutes)
token_type The type of the access token (always "Bearer")
refresh_token Refresh token identifier, valid for 30 days, or until product logout
organizer_key GoTo product user organizer key
account_key GoTo product account key (may be blank)
account_type GoTo product type “personal” or “corporate” (may be missing or blank)
firstName GoTo product user organizer first name (G2M only)
lastName GoTo product user organizer last name (G2M only)
email GoTo product user organizer email (G2M only)
version The version of the access token

This access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}". E.g. for the GET /me request of the Admin API:

curl -H "Accept: application/json" -H "Authorization: Bearer RlUe11faKeyCWxZToK3nk0uTKAL" "https://api.getgo.com/admin/rest/v1/me"

You can also use the access_token and organizer_key values in the API Reference page for the product, or in API calls in your client application.

To create programmatic updates of your access tokens, see the SDK documentation

A redirect URI is a target URI where you post your authorization code, and which is then exchanged for an access token you can use to authenticate subsequent API calls.

To add a redirect URI, make sure the URI is defined in your application under MyApps.

IMPORTANT: The redirect_uri is required in the access token request if you include the redirect_uri parameter in the authorization request. Their values MUST be identical. If it is not included in the access token request, then any redirect_uri value passed in the authorization request is ignored and the first URL defined in the application under MyApps is used.

A redirect URL of http://example.com can support any of the following redirect URLs:

However, you must encode the URI:

  • http%3A%2F%2Fcode.example.com

You can also add a state parameter to the authorization call. This also validates the environment. The state value should return unchanged. If it is missing or corrupted, the OAuth transaction might be compromised. An example of the use of redirect URI and state:


If you included a specific redirect URI and state, the response looks like: