REST based access calls

The authentication mechanism in Cloud CMS is  straight-up OAuth 2.0.
While you can use any of the flows, the easiest one to begin with is "password".  We've outlined a basic example here using to show our APIfirst platform in action.
First, from your Cloud CMS login, select the API Keys section to list all available projects for remote access:

If your project doesn't show, you can quickly  create a key for it.  Now click on the desired project's entry named "Node.js (gitana.json)" to see:

    "clientKey": "51371da0-b389-4b73-8359-d1295ee1da8a",
    "clientSecret": "/qHWNstDHZYkYxQvSIN6jZkIebxPDxT2IhH/4SQ/DdVJMwR66pHbLbQ1/GA9Plu1vSJ3tC5JbCYz0RfHCtxKrh2SAXr0uKGLJOwIXyVFvnA=",
    "username": "f4fc3c6d-fbae-4525-be54-2ba94f7fd00f",
    "password": "axpJDZRtFTiPgOLOwiUciG7sHDpwdmOykidBUV8BiJNAoBriiClhgnT+uoVv5v0bIhS9AmqUvmmKj4KUnSVRFt+1B9Tu89AefFKJ9MhhMa0=",
    "baseURL": "",
    "application": "db385f203ba8ee01f559"

In order to use these with our  REST client, we'll first need to process clientKey, clientSecret, and password by:

A) Generating the authorization header using clientKey and clientSecret

Manually base64encode (clientKey + ":" + clientSecret), yielding a concatenated value of:


which we can process quickly thru

giving us a ready to use value of


B)  URLencode the password value to make


result in a ready to use value of


Now we can configure the headers in our REST client by:

  1. Setting the URL to with a method of POST
  2. Defining the Content Type (x-www-form-urlencoded) and Authorization (from the concatenated value in A above)

Resulting in

with a payload of

using the encoded value of password from B above.  The grant_type, scope, and username values are all taken as-is. Upon execution of the POST, you should receive a token like this one:

"access_token": "e539b9e2-4357-4f22-b895-76f1f2d16dba"
"token_type": "bearer"
"refresh_token": "e973abb1-a58a-478c-8206-dab6ad04428b"
"expires_in": 81893
"scope": "api"

Allowing your subsequent requests to include the access token in the "Authorization" header.  This now permits you to utilise any of the calls listed at via a simple