Authentication
Partner APIs require OAuth2 client credentials. You authenticate by exchanging a Client ID and Secret for a short-lived JWT access token, then sending that token in the Authorization header.
All Entur APIs, open and partner, also require the ET-Client-Name header on every request. See Client identification.
Setup
1. Create client credentials
- Go to Entur Partner and create a client
- View the created client and note the Client ID and Client secret
- Be sure to store the Client secret securely.
Only users with the role Brukeradministrator in your organization can create clients.
2. Get an access token
Call the authentication service that matches the environment where your client was created. Use the client_credentials grant type.
| Environment | Authentication service endpoint | Audience |
|---|---|---|
| Production | https://partner.entur.org | https://api.entur.io |
| Staging | https://partner.staging.entur.org | https://api.staging.entur.io |
| Dev | https://partner.dev.entur.org | https://api.dev.entur.io |
Request body
Code
Example request (production)
Code
We recommend using established OAuth2 libraries instead of building this flow from scratch.
3. Use the access token
Include the JWT access token in the Authorization header for every Partner API request:
Code
Example request
Code
4. Cache and expiry
- Cache access tokens securely and reuse them until they expire.
- Tokens from Entur’s authentication service are valid for 24 hours.
- You can track expiry via the
expires_infield from the token response or theexpclaim inside the JWT.
Requests using expired tokens will return HTTP 401.
Troubleshooting
Common HTTP status codes during authentication:
- 401 Unauthorized – Missing/invalid
client_secret, missing token, or expired token. - 403 Forbidden – The token is valid, but lacks required permissions for the endpoint.
- 408 Session timeout – The token expired during processing; obtain a new token.