© 2018 Capita Business Services Ltd. All rights reserved.

Capita Education Software Solutions is a trading name of Capita Business Services Ltd. Our Registered office is 30 Berners Street, London, W1T 3LR and our registered number is 02299747. Further information about Capita plc can be found in our legal statement.

API Security and Access

The OAuth 2.0 Authorization Framework specification defines four flows to get an Access Token. These flows are called grant types, and each one is best suited to different use-cases for your application.

  • Authorization Code: used by Web Apps executing on a server. This is also used by mobile apps, using the Proof Key for Code Exchange (PKCE) technique.
  • Implicit: used by JavaScript-centric apps (Single Page Applications) executing in the user's browser.
  • Resource Owner Password Credentials: used by trusted apps, typically trusted enterprise apps internal to an organisation.
  • Client Credentials: used for machine-to-machine communication.

Capita DeX APIs are accessible by access tokens obtained using the Client Credentials or Authorization Code grant types. When clients are configured for you to use, the grant type allowed ("flow") will be set for each client.


Access Tokens

For more information on access tokens, please click here


Related resources for ESS DeX Web-Based API