Intralinks Developer Portal

OAuth Overview

OAuth is now the preferred authentication mechanism for 3rd party app developers who wish to integrate with the Intralinks API. If you are familiar with the session login/logout process, you will need to make a few changes to your application in order to authenticate and make API calls as part of the new process. Intralinks OAuth2 provider implements the OAuth2 specification's authorizationcode flow (3 legged OAuth), clientcredentials, and refreshtoken flows. This document is intended to give you a general overview of the process using the authorizationcode grant type and the API calls used to interact with our service.

Before starting with this document however, it is a good idea to familiarize yourself with the OAuth2 and how it works. A great resource for this is the community page for OAuth2 at


Using OAuth

Before you can make any OAuth calls you need to get a client id and client secret these can be found on the properties screen of your appliction in the "My Apps" section or your profile. If you have not created an app yet, our Getting Started guide walks you through the process.


Getting an access token - OAuth login

Step 1 - Your application needs to call the /v2/oauth/authorize API. This call will execute an HTTP 302 Redirect from your web application to the Intralinks OAuth Login Page.

See OAuth Authorize

Step 2 - After the user logs in, the Intralinks API will redirect back to your application using the redirect_url parameter specified in the /authorize call. The query parameters of the GET call will contain an authorization code that is valid for 20 seconds.

Step 3 - Using the auth code passed to your application during step 2 of the process, you application can then call the /v2/oauth/token API to obtain an actual OAuth token. The token call will return immediately with 2 tokens – Auth and Refresh. The Auth token is good for 60 minutes while the refresh token is good for 30 days.

See Create OAuth Token


Using OAuth Tokens

Now you are logged into the API and can begin to make API calls. The Auth token is passed to existing API calls in the “AUTHORIZATION” HTTP header as a ‘Bearer’ token. For example:

Authorization: Bearer <access_token>

If you need to reestablish a session with the API, you can use the /v2/oauth/token API call with the refresh_token grant type and pass in the ‘refresh’ token you got back from the /token call. Doing this means you don’t have to re-execute the 3 legs of the authorize flow.

See refresh_token grant type in the OAuth Token API

You can also pass the token to the /v2/oauth/tokeninfo API call to retrieve details about the token itself, including when it expires and the scope it was issued for.

See Get Token Info


Logging Out

If you need to log the user out completely, you can call the /v2/oauth/revoke and pass in either the refresh token or the auth token. Once the tokens are revoked, you will have to go through the complete authorization process to obtain new tokens.

See Revoke OAuth Token


OAuth Client Libraries

While not required, there are several open source OAuth2 client implementations which can be used to speed your development work when integrating with the Intralinks OAuth Provider API.
For Java-based backends, we recommend using Spring Security OAuth2 Client API or Google OAuth2 Client for Java.