A valid access token is required to make a successful API call for the GoTo products. Access tokens have a lifepan of 60 minutes. To get a new access token requires a new product login and new token request, or a request that contains a refresh token. Refresh tokens are good for 30 days and are renewed at the end of that period.

To use a refresh token, you send an API token request with a grant type of refresh_token with the refresh token value from the original token request. A sample request is shown below in curl format.

curl -X POST "https://api.getgo.com/oauth/v2/token"
-H "Authorization: Basic

OEE1M3luSEVoVm5IUjZyc1RHOExheVRsfaKeUWRuc0g6NWM5NzJ1ZndnSzRHeEpOaQ==" \

-H "Accept:application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=WUlzT6mfAKe7PY92L9Z4TLuBcOZIlrrR"

The Authorization header value is the same as the one you used to obtain the original token, namely the string of consumerKey:consumerSecret base64 encoded. The refresh token is the value received in the results body when you received the original access token.

Response Example

This returns a new access token and user information. The refresh token returned in the call will be the same one you just sent for the full 30-day lifespan of the token. IMPORTANT: As of March 15, 2020, the Access Token and Refresh Token are now more secure and are much largers strings than previously.


Response Data

Parameter Description
access_token OAuth access token
expires_in The access token's expiration time in seconds (60 minutes)
token_type The type of the access token (always "Bearer")
refresh_token Current refresh token
organizer_key GoTo product user organizer key
account_key GoTo product account key (may be blank)
account_type GoTo product type “personal” or “corporate” (may be missing or blank)
firstName GoTo product user organizer first name (G2M only)
lastName GoTo product user organizer last name (G2M only)
email GoTo product user organizer email (G2M only)
version The version of the access token

This new access token can now be used to authorize API requests by setting it in the Authorization header with the following format: "Authorization: Bearer {access_token}".

You can also use the access_token and organizer_key values in the API Reference page for the product, or in API calls in your client application.

To create programmatic updates of your access tokens, see the SDK documentation

Example of use

Event 1: Generate an access token. The body of the response contains a refresh token.

Event 2+n: At any time when you need access (within the next 30 days), send a grant_type=refresh_token request. The body of the response contains the same refresh token as the first request. Best practice is to harvest the refresh token from the response body daily and use it for the next grant_type=refresh_token request.

Event 3: At some point, on or about day 30 of the refresh token's lifecycle, the response body will contain a new refresh token, good for the next 30 days.