OverDrive API Security
OverDrive APIs are secured using OAuth v2.0, which provides developer account authentication and verification by way of a user access token. Once your developer application has been approved, OverDrive will provide a client key and client secret which, when provided to the OverDrive authorization endpoint, will return an access token. The access token must be included with each API request. If you haven't already, take a look at the Getting Started page to learn how to register for your credentials.
Learn more about the OAuth protocol.
Using OAuth Tokens
All OverDrive APIs use the OAuth v2.0 client credentials flow. You can get an OAuth access token at https://oauth.overdrive.com/token by providing your client key and client secret using Basic Authentication.
To create the POST request:
- Combine your client key and client secret like this: clientKey:clientSecret.
- Use your languages libraries to encode the combined secret and key using a Base64 algorithm.
- Apply the string to the 'Authorization' header like this: Basic [Base64 string] (see the example below).
POST /token HTTP/1.1 Host: oauth.overdrive.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=client_credentials
Note: "grant_type=client_credentials" is the body of the request.
If your credentials are valid, an access token will be returned as part of the response:
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "scope":"LIB META SRCH AVAIL" }
You can extract the access_token and token_type values from this response to include them in OverDrive API calls as part of the "Authorization" header as shown in the example below:
GET /v1/libraries/1225 HTTP/1.1 Host: api.overdrive.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: Your App Here X-Forwarded-For: (Client IP Address)
You will need to present this OAuth access token when making a request to any OverDrive API. OAuth tokens expire after a set amount of time. If you send a token and get a 401 error in response, then your token has expired and you'll need to request a new one.
When integrating with OverDrive APIs, it is recommended that you utilize an OAuth v2.0 library specific to the programming languages and technologies you are using.