Hide menu

OAuth 2.0

CAD Exchanger Cloud Service uses OAuth 2.0 to authorize and authenticate users on service. This protocol allows third-party applications to grant limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf. Access is requested by a client, it can be a website or a mobile application for example.


OAuth defines next terms which used in this section:

clientThe application that wants to access the user's resource (e.g. website, desktop application, etc.). You can find your applications in My Apps page.
client idThe client identifier issued during the client registration process. It is a 32-character string (e.g., "pHnOt9uGjolVu24o7K5ByU4TSTHKwdFI").
client secretThe client secret key (aka password) that must be kept confidential. It is a 24-character alphanumeric string (e.g., "dsH6yUgKpCSqqTj00ghOUf01"),
access tokenA token used by the client as a header in the request which allow authenticate user on the server. It is alphanumeric string of variable length. CAD Exchanger Cloud Service uses JSON Web Tokens (JWT) and check tokens' scope, lifetime, and other access attributes to allow or deny access to requested resource.
scopesThe parameter controls the set of resources and operations that an access token permits. It is a expressed as a list of space-delimited, case-sensitive strings. For example if an access token is issued for the reading data only (scope is "data:read"), it does not grant access to the creating or deleting data. You can use access token multiple times for similar allowed operations.

The typical authorization flow is as follows:

  • The client requests authorization to access service resources from the user
  • The server issues an access token to the client
  • The client requests the resource from the server and presents the access token for authentication


OAuth 2.0 scopes provide a way to limit the amount of access that is granted to an access token. The structure of scope values is category:operation. category refers to the resource or entity categorization they grant access to, operation refers to the class of actions on that object they allow.

ScopeDisplay Message on Consent PageDescription
user:readView your profileThe client will be able to read user's profile.
user:writeManage your profileThe client will be able to update user's profile.
data:readView your dataThe client will be able to read all the end user’s data (files and folders).
data:createCreate new dataThe client will be able to create data (file and folders) on behalf of the end user.
data:writeManage your dataThe client will be able to create, update, and delete data (file and folders) on behalf of the end user.
data:convertConvert your dataThe client will be able to convert files to other formats on behalf of the end user.
data:shareShare your dataThe client will be able to share files with another user.
viewer:readView your modelThe client will be able to read assets required for visualization in the browser.

Service Applications

The CAD Exchanger Cloud Service supports server-to-server interactions such as those between a web application and service.

Current implementation uses Client Credentials Grant only. So client can access to resources about themselves rather than to access a user's resources.