SharePoint Access Token using Postman
There are lots of ways to fetch an update the SharePoint resources.
Today, I am going to provide you a way to access the SharePoint resources using an access token using Postman.
This is a developer friendly tool for handling REST API from any platform.
If you are new to the SharePoint REST APIs, then you can learn more from Get to know the SharePoint REST service.
Now we have some understanding about Post Man tool & SharePoint Rest API endpoints. Now we’ll start testing the SharePoint REST API with this tool.
Let’s take one simple example to fetch a web title using a SharePoint REST API.
The equivalent syntax to retrieve a website’s title is
After entering the above URL in the text-box in the URL text-box. We will get the Unauthorized exception on accessing the information.
SharePoint Online is very much secured and that doesn’t allow anonymous users to access the information for their site. And hence it resulted in an error message response, after sending the request.
To avoid the Unauthorized exception, we have to add some request header values to the API request. Authentication and Authorization of SharePoint Add-Ins gives the overview of authorizing the Add-ins to access SharePoint resources by the APIs.
SharePoint supports three types of authentication policies:
- User Policy
- Add-In Policy – We are using this policy to authenticate the external system to access SharePoint
- User +Add-In Policy
We require the following information in various requests to authenticate with SharePoint online site.
- Client Id
- Client Secret
- Realm (Tenant Id)
- Access Token
Authorize Postman to access SharePoint
We need to authorize postman to access SharePoint resources using REST API endpoints.
To do that we will need to pass access token values as a request header.
To get the access-token, we should generate Client Id and Secret information from the site by registering as an App only Add-In in SharePoint site. This is the same as registering an add-in for Provider Hosted Add-In.
I have provided the steps below to get the Tenant Id, Access Token, and data from SharePoint using Postman utility.
- Navigate and login to SharePoint online site.
- Then navigate to the Register Add-In page by entering the URL as
- In the App Information section, click the Generate button next to the Client Id and Client Secret textboxes to generate the respective values.
- Enter Add-In Title in Title textbox
- Enter AppDomian as a localhost
- Enter RedirectUri as a https://localhost
Click Create button, which registers the add-in and returns the success message with created information.
Save this information safely, we will need that in the following step.
Grant Permissions to Add-In
Once the Add-In is registered, we need to set the permissions for that add-in to access the SharePoint data. We will set the Read permission level to the web scope so that we will be able to read the web information.
- Navigate to the SharePoint site
- Then enter the URL https://<sitename>.sharepoint.com/_layouts/15/appinv.aspx in the browser. This will redirect to the Grant permission page.
- Enter the Client ID(which we have generated earlier), in the AppId textbox and click the Lookup button. That will populate the value to other text boxes in Title, App Domain, and Redirect Url
Now, enter the below xml in the Permission Request.
Click Create button. This will redirect to you page, where we have to trust the add-in to read items from website.
Note: If we want to access site collection or tenant level, we have to add the XML accordingly
Retrieve the Tenant ID
Once we registered the Client Id and Secret with the permissions, we are ready to access the SharePoint information from external system or tools.
At first, we have to know the Tenant ID. Follow the below steps to obtain that information from the postman. Postman helps to get the tenant Id by requesting the below URL with an Authorization header
- Launch Postman chrome extension
- Select the Get Method
- Enter the below URL in the “Request URL” textbox
- Configure the below information in the header section to send along with the URL request method = Get
We are interested in two values, realm and client_id from the above response.
Generate the Access Token
In response header, we will get WWW-Authenticate as one of the header and that contains the necessary information required for next step. The realm value contains the tenant id for the SharePoint Online site and clientid value contains the resource information (we’ll use it later).
- After getting the Tenant ID, we have to form a URL with the below format
https://accounts.accesscontrol.windows.net/<TenantID>/tokens/OAuth/2 for requesting the access token.
- Apply the below configurations in header
Method = POST
After applying the configuration, click Send button. That will returns the response with the Access Token.
Once we are received the access token, its like we got the authorization to access the SharePoint data based on the permission applied in Grant Permission as Add-In section.
We have to pass the access token as “token_type access_token”
Access the SharePoint resource
Now we have the access token, So we can now pass this token in Authorization header with the SharePoint REST API to get the information.
- In Postman tool, add the below URL to retrieve the web title
- Apply configurations in header
- Method = POST
- After applying the configuration, click the Send button.
- We will get the response successful as below if the permission XML applied correctly on the appinv page. Otherwise, we will get the access denied error message.
The postman utility helps us start the development and test the REST API utility. Using this approach we can update any information of SharePoint which is supported by SharePoint REST API.
Please comment and share this article with your friends and collegues.
SharePoint Team Lead , Office 365 consultant