Autodesk OAuth (Third-Party Account) — Setup Guide

Overview Use this guide to register an Autodesk app and connect it to your system as a "Third Party (Autodesk)" OAuth account. The app enables end-users to:

• Access Autodesk Construction Cloud (ACC) projects and documents
• Read/write BIM 360 files and folders
• Manage Autodesk Vault connections
• Access Fusion 360 and Inventor data through APIs
• Integrate with AutoCAD Web services

This document provides the exact permissions to grant, the redirect/authorization URLs to use, and the values to enter in your application. All values below use placeholders—replace them with your own.

---

1) Register a New App in Autodesk Developer Portal

1. Sign in to Autodesk Developer Portal at https://aps.autodesk.com/
2. Navigate to My Apps → Create App.
3. App Name: e.g., MinuteView Integration.
4. App Description: Brief description of your integration purpose.
5. Callback URL:
   • Use your production callback URL, e.g. https://your-domain/MinuteView/PageGeneral/ServiceCallback.aspx
6. Select the appropriate APIs you need access to (see API selection below).
7. Click Create App.

---

2) Collect App Credentials

From the app's Details page:

• Client ID: YOUR-AUTODESK-CLIENT-ID
• Client Secret: YOUR-AUTODESK-CLIENT-SECRET

Store the client secret securely as it will only be shown once.

---

3) Select Autodesk Platform Services (APS) APIs

When creating your app, select the APIs you need:

Data Management API

• Purpose: Access files, folders, and metadata in Autodesk Construction Cloud, BIM 360, and Fusion 360
• Required for: File operations, project data access

Model Derivative API

• Purpose: Convert and view 2D/3D models in various formats
• Required for: Model viewing, format conversion, thumbnail generation

Construction Cloud API

• Purpose: Access Construction Cloud specific features
• Required for: ACC project management, document management

Design Automation API

• Purpose: Run Autodesk applications in the cloud
• Required for: Automated processing of CAD files

Webhook API

• Purpose: Receive notifications about data changes
• Required for: Real-time synchronization

---

4) OAuth 2.0 Scopes

Autodesk uses scope-based permissions. Common scopes include:

Data Access Scopes

• data:read - Read access to application data
• data:write - Write access to application data
• data:create - Create new data
• data:search - Search through data

User Profile Access

• user-profile:read - Read user profile information

Bucket Access (for file storage)

• bucket:create - Create buckets for file storage
• bucket:read - Read bucket contents
• bucket:delete - Delete buckets

---

5) Authorization & Token Endpoints

• Authorize endpointhttps://developer.api.autodesk.com/authentication/v2/authorize

• Token endpointhttps://developer.api.autodesk.com/authentication/v2/token

---

6) Authorization Request

Use the Authorization Code flow with PKCE for enhanced security:

GET https://developer.api.autodesk.com/authentication/v2/authorize
  ?response_type=code
  &client_id={ClientId}
  &redirect_uri={UrlEncodedCallbackUrl}
  &scope={SpaceSeparatedScopes}
  &state={RandomStateParameter}
  &code_challenge={PKCEChallenge}
  &code_challenge_method=S256

Example scopes: data:read data:write user-profile:read

---

7) Token Exchange (Server-Side)

When your app receives the code at the callback:

• POST to the token endpoint with:

  • grant_type=authorization_code
  • client_id={ClientId}
  • client_secret={ClientSecret}
  • code={authorization_code_from_callback}
  • redirect_uri={exact_same_redirect_uri}
  • code_verifier={PKCEVerifier}

You'll receive:

• access_token (typically valid for 1 hour; use for API calls)
• refresh_token (valid for 15 days; use to get new access tokens)
• expires_in (token lifetime in seconds)

---

8) Testing Checklist

• Sign in with a user who has access to the target Autodesk services.

• Call sample endpoints to validate each capability:

  • User Info: GET https://developer.api.autodesk.com/userprofile/v1/users/@me
  • Hubs: GET https://developer.api.autodesk.com/project/v1/hubs
  • Projects: GET https://developer.api.autodesk.com/project/v1/hubs/{hub_id}/projects
  • Folders: GET https://developer.api.autodesk.com/data/v1/projects/{project_id}/folders/{folder_id}/contents

• Confirm refresh token works and tokens are stored securely.

• Test file upload/download operations if applicable.

---

9) Security & Best Practices

• Treat Client Secret and refresh tokens as sensitive credentials; store in a secure credential store.
• Implement proper PKCE (Proof Key for Code Exchange) for additional security.
• Use HTTPS for all communications.
• Implement token refresh logic before tokens expire.
• Follow principle of least privilege - only request scopes you actually need.
• Monitor API usage to stay within rate limits.

---

10) Troubleshooting

• Invalid redirect URI: Ensure the callback URL in the request exactly matches the registered redirect URI.
• Insufficient scope: Verify you've requested all necessary scopes for your use case.
• Token expired: Implement automatic token refresh using the refresh token.
• Rate limiting: Implement exponential backoff and respect rate limit headers.
• Access denied: Check user permissions for the specific Autodesk services and projects.
• CORS issues: Ensure your domain is properly configured if making client-side calls.

---

11) Rate Limits & Quotas

Autodesk APIs have various rate limits:

• Authentication API: 500 requests per minute
• Data Management API: 100 requests per minute
• Model Derivative API: Varies by operation
• Construction Cloud API: 60 requests per minute

Monitor response headers for rate limit information:

• X-RateLimit-Limit: Total requests allowed
• X-RateLimit-Remaining: Requests remaining in current window
• X-RateLimit-Reset: Time when rate limit resets

---

Appendix — Example URL Templates

Replace placeholders and URL-encode parameters appropriately.

Authorization URL:

https://developer.api.autodesk.com/authentication/v2/authorize
  ?response_type=code
  &client_id={ClientId}
  &redirect_uri={UrlEncodedCallbackUrl}
  &scope=data:read%20data:write%20user-profile:read
  &state={RandomState}
  &code_challenge={PKCEChallenge}
  &code_challenge_method=S256

Token Exchange:

POST https://developer.api.autodesk.com/authentication/v2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id={ClientId}
&client_secret={ClientSecret}
&code={CodeFromCallback}
&redirect_uri={ExactSameCallbackUrl}
&code_verifier={PKCEVerifier}

Token Refresh:

POST https://developer.api.autodesk.com/authentication/v2/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&client_id={ClientId}
&client_secret={ClientSecret}
&refresh_token={RefreshToken}

---

Common API Endpoints

• User Profile: https://developer.api.autodesk.com/userprofile/v1/users/@me
• Hubs: https://developer.api.autodesk.com/project/v1/hubs
• Projects: https://developer.api.autodesk.com/project/v1/hubs/{hub_id}/projects
• Project Contents: https://developer.api.autodesk.com/data/v1/projects/{project_id}/folders/{folder_id}/contents
• File Details: https://developer.api.autodesk.com/data/v1/projects/{project_id}/items/{item_id}

This configuration enables access to Autodesk Construction Cloud, BIM 360, and other Autodesk Platform Services for file management, model processing, and project data integration.