Direct login is a procedure for authorizing API requests in a secured environment such as GoToAssist Corporate. It passes user credentials in the call and so is not available for non-secured environments. The OAuth 2.0 method described in How to Get an Access Token and Organizer Key is recommended for all products other than GoToAssist Corporate.

GoToAssist Corporate tokens

For GoToAssist Corporate, the only authorization method supported is Direct Login. For all other products use OAuth. Once you create a new access token for GoToAssist Corporate, all other tokens for the application are revoked.

Direct Login requests require a single call. Curl syntax is shown to include the full request. Your request can be sent through an API client such as Postman, or through your client application.

Request Application and User Authentication

Copy the Consumer Key value from your developer center application and insert the value into the following URL to replace {consumerKey}:

curl -X POST -H "Accept:application/json" -H "Content-Type: application/x-www-form-urlencoded" "" -d 'grant_type=password&{consumerKey}'

Request Parameters

Parameter Description Format Required
grant_type string reading "password" string required
user_id user's login ID string required
password user's password string required
client_id the application client_id or Consumer Key string required

Response Example

This returns an access token and user information:

{  "access_token":"RlUe11faKeyCWxZToK3nk0uTKAL",  "expires_in":"3600",  "refresh_token":"d1cp20yB3hrFAKeTokenTr49EZ34kTvNK",  "organizer_key":"8439885694023999999",  "account_key":"9999982253621659654",  "account_type":"",  "firstName":"Mahar",  "lastName":"Singh",  "email":"",  "platform":"GLOBAL",  "version":"2", }

Response Data

Parameter Description
access_token OAuth access token
expires_in The access token's expiration time in seconds (60 minutes)
refresh_token The token to use to obtain a new access token, for example, if the current access token has expired. The refresh token is valid for 30 days.
How to Use Refresh Tokens describes how to use it.
organizer_key GoTo product user organizer key
account_key GoTo product account key (may be blank)
account_type GoTo product type “personal” or “corporate” (may be missing or blank)
firstName GoTo product user organizer first name (only G2M, missing or blank for other products)
lastName GoTo product user organizer last name (only G2M, missing or blank for other products)
email GoTo product user organizer email (only G2M, missing or blank for other products)
platform The platform the user's GoTo product account is on ("GLOBAL")
version The version of the access token


This access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}".

E.g. for the GET /me request of the Admin API:

curl -H "Accept: application/json" -H "Authorization: Bearer RlUe11faKeyCWxZToK3nk0uTKAL" ""

You can also use the access_token and organizer_key values in the API Reference page for the product, or in API calls in your client application.