Cookies Settings



Understanding the D&B Direct+ API Authentication Flow

Before you can start using the D&B Direct+ API, you will need to understand the authorization flow of the API.

D&B Direct+ API calls utilize access tokens - generated from a key/secret combination - for authentication based on the Client Credentials Grant flow of the OAuth 2 specification. These access tokens expire after twenty-four hours. The error code 00040 indicates the current access token being used has expired.

The preceding diagram shows a standard Auth flow, where Authorization Server is ( and Resource Server is the D&B Direct+ API.

NOTE: Contact your D&B representative to obtain your D&B Direct+ key/secret combination. These values, along with any access tokens generated, should be considered as sensitive as a password, and must used only by authorized parties as stated in the D&B Direct+ API agreement.

Here is a sample of a Consumer Key and Consumer Secret. Note: these are not valid credentials.

Consumer Key: r1BKFi9iRGl0FP8VXmxXm6YHY2msM3dw
Consumer Secret: VH4HIUipabqqAcO7

The application-only auth flow follows these steps:

1. An application developer base 64 encodes the combination of Consumer Key plus ":" plus Consumer Secret into a credential value that can be submitted for a token.

For example, the sample values would yield the following encoded credential value: UXQ2WUdZcFh2R2Z4V0FsUkhoNVdNNDZNc2I3NldLTnc6Y25oOFRDOVNlemxkM2M4NA==

2. An application makes a request to the POST endpoint to exchange these credentials for a bearer token.

Token Request
Content-Type: application/json
Authorization: Basic <base 64 encoded(yourKey:yourSecret)>

{ "grant_type" : "client_credentials" }
Token Response
	"access_token": "<yourToken>",
	"expiresIn": 86400

3. When accessing the D&B Direct+ API, the application uses the bearer token to authenticate the API requests. Without the bearer token these calls will fail.

Sample Request (by IP)
Authorization: Bearer <yourToken>