OAuth 2.0 Client Credentials flow

Overview

The Partner API uses the OAuth 2.0 Client Credentials flow, designed for machine-to-machine communication where a client (such as a backend service) authenticates itself to access resources without a user.

Benefits of OAuth 2.0 Client Credentials

  • Credentials are never embedded in API payloads.

  • A simplified authentication model results in faster API calls.

  • Most partners can leverage existing OAuth 2.0 libraries and client implementations.

  • This flow is an opt-in and doesn’t replace the existing legacy authentication workflow.

If the Authorization header is not included in the request, the backend will fall back to Basic authentication.

Enrollment

To obtain a client ID and secret for OAuth 2.0 authentication, reach out to your account manager.

Automatic self-registration is not supported. To use OAuth 2.0 authentication scheme, partners must complete a manual enrollment process.

Authentication workflow

  • Tokens expire after 4 hours.

  • Request a new token as needed.

The OAuth 2.0 workflow consists of three main steps:

  1. Discover the token endpoint

    Use the OpenID configuration endpoint to obtain OAuth 2.0 metadata. This response can be cached for long-term use, enabling reuse without additional API requests.

    Example request:

    curl https://api.sitelock.com/.well-known/openid-configuration

    Example response:

    {
    "jwks_uri":"https://api.sitelock.com/.well-known/jwks.json",
    "grant_types_supported":[
        "authorization_code","password","client_credentials","urn:ietf:params:oauth:grant-type:token-exchange"
    ],
    "id_token_signing_alg_values_supported":["RS256","EC256","EdDSA"],
    "token_endpoint":"https://api.sitelock.com/v2/oauth2/token",
    "issuer":"https://api.sitelock.com",
    "scopes_supported":["openid","profile","email"]
     "authorization_endpoint":"https://api.sitelock.com/v2/oauth2/auth",
    "registration_endpoint":"https://api.sitelock.com/v2/oauth2/register",
    "claims_supported":["sub","iss","aud","exp","iat","client_id","nonce","name","email"],
    "token_endpoint_auth_methods_supported":[
        "client_secret_post","client_secret_basic","client_secret_jwt","private_key_jwt"
    ]
}

  2. Authenticate with the client ID and secret to request an access token from the token endpoint.

    The currently supported client authentication method is client_secret_basic.

    Example request:

    curl \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic <base64(client_id:client_secret)>' \
  -X POST \
  --data-urlencode grant_type=client_credentials \
  --data-urlencode scope=partner \
   ${token_endpoint}

    Example response:

    {
  "scope": "partner",
  "expires_in": 14400,
  "token_type": "Bearer",
  "access_token": "<access_token>"
}

  3. Make an API call with the access token.

    The <authentication> element in the XML payload will be ignored when an Authorization: Bearer header is included.

    Example request:

    curl \
  -H "Content-Type: application/xml" \
  -H "Authorization: Bearer <access_token>" \
  --data-raw "<SiteLockOnlineRequest>
    <getStatus>
      <type>live</type>
      <accountInformation>
        <id>${account_id}</id>
      </accountInformation>
    </getStatus>
  </SiteLockOnlineRequest>" \
  https://api.sitelock.com/v1/partner/getStatus

    Example response:

    <?xml version='1.0' standalone='yes'?>
<SiteLockOnlineResponse>
 <getStatus>
  <accountInformation>
    <name>First Last</name>
    <id>123456</id>
    <isTest>no</isTest>
    <status>active</status>
  </accountInformation>
  <siteInformation>
    <site>
      <alerts_email>[email protected]</alerts_email>
      <amount>180.99</amount>
      <billing_authority>partner</billing_authority>
      <compliance>Pending</compliance>
      <domain>example.com</domain>
      <frequency>1</frequency>
      <next_renewal_at>2026-01-20</next_renewal_at>
      <over_limit>0</over_limit>
      <page_limit>10000</page_limit>
      <pages_checked>0</pages_checked>
      <site_id>123</site_id>
      <site_status>active</site_status>
      <subscription>456</subscription>
      <subscription_id>789</subscription_id>
      <subscription_plan_name>SiteLock Enterprise</subscription_plan_name>
      <subscription_start_date>2025-12-20 06:09:12</subscription_start_date>
      <subscription_state>active</subscription_state>
      <subscription_type>bundle</subscription_type>
      <trusted_domain>yes</trusted_domain>
    </site>
  </siteInformation>
  <users>
    <user>
      <name>First Last</name>
      <email>[email protected]</email>
      <login>example_login</login>
      <owner>yes</owner>
    </user>
  </users>
 </getStatus>
</SiteLockOnlineResponse>

Error response

If an API request is made with an expired access token, the SiteLock API returns an error response indicating the issue. The exact response format varies depending on the API endpoint version and the expected response type.

v1 endpoint

HTTP/1.1 401 Unauthorized
Content-Type: application/xml

<SiteLockOnlineResponse>
  <error>invalid_token</error>
  <error_description>The access token expired</error_description>
</SiteLockOnlineResponse>

v2 endpoint

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": "invalid_token",
  "error_description": "The access token expired"
}
To resolve the issue, request a new access token by following the instructions in OAuth Client Credentials Flow.