• What languages can I use to invoke an API?

    The APIs exposed by EUIPO API follow open standards and be language and platform agnostic. Any system capable of forming a JSON string and issuing an HTTP request can be used to invoke a RESTful API. It is important to note that EUIPO does not restrict the technology you use to invoke the API.

  • Can I get a client for an API in my language of choice?

    Clients usually take the form of generated source code, in the consumers language of choice, and provide a simpler mechanism for invoking the API without the need to build validation and/or data transformation mechanisms. EUIPO API does not provide clients for testing their APIs.

    If you would like to use an API client rather than crafting the JSON payload and issuing HTTP requests, the machine-readable nature of EUIPOs OpenAPI descriptors means that a client generator can be used for many programming languages - see the OpenAPI Initiative (openapis.org) project page for examples.

  • How does API Security work?

    REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified.

    EUIPO offers its APIs using HTTPS protocol, which is a secure extension of HTTP using a TLS certificate.

    In the request processing pipeline, authentication comes first and authorisation comes next. Authorisation only occurs after successful authentication of the request.

    • Authentication: Authentication is the process of identifying whether the credentials passed along with the request are valid.
    • Authorisation: Authorisation is the process of identifying whether the received request is allowed to access the requested endpoint or method.

    EUIPO APIs use the OpenID Connect (OIDC) protocol for user authentication and application authorisation. OpenID Connect is an open authentication protocol that profiles and extends OAuth 2.0, an authorisation framework, to add an identity layer. OIDC allows clients to confirm an end user’s identity using authentication by an authorisation server.

    An OAuth 2.0 server issues access tokens that client applications can use to access protected resources on behalf of the resource owner, (e.g.: create an EUTM Application on behalf of the user).

    OAuth2.0 provides various flows or grant types suitable for different types of API clients or use cases. The most commonly used grant types in EUIPO’s APIs are client_credentials and/or authorisation_code.

  • What is the URL for EUIPO OpenID Connect Implementation?

    EUIPO provides two different authorization servers depending on the environment the user is targeting.

  • Why am I getting a 401 unauthorized response when invoking the “/accessToken” endpoint?

    • Your App may not be registered in the EUIPO Developer Portal
    • The client_id and or client_secret may not be part of request body
    • You may be calling the wrong authorisation server for the Portal where you registered your application (Sandbox or Production)
  • What are the steps to call one of the available endpoints of an API?

    Before performing any operation you need to obtain an authorization token. OAuth 2.0 includes many authorisation flows but the most common are client_credentials and authorisation code.

    Depending on the API needs, client_credentials are used if the API only needs to identify the application that tries to perform the operation; or the authorisation_code if there is a need to identify the final user as well. In the latter case, the application acts on behalf of the final user.

    1. Request an access token to the authorization server:

    The following is an example of a client_credentials flow.

    curl --location --request POST 'https://auth.euipo.europa.eu/oidc/accessToken' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'client_id={your_client_id}' \
    --data-urlencode 'client_secret={your_client_secret}' \
    --data-urlencode 'grant_type=client_credentials'

    The response from the authorization server includes the access token together with an identity token and the refresh token.

        "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMTEifQ.eyJzdWIiOiJsb3ZlbGxzOCIsIm9hdXRoQ2xpZW50SWQiOiJkOGFhNDJjYS04YmI0LTRjNjItODc5OS1kYjJmNTJmM2FjOGMiLCJyb2xlcyI6WyJST0xFX01ZT1BUSU9OUy1WSUVXLVBFUlNPTkFMREVUQUlMUyIsIlJPTEVf………….-eKX_cfvF1CuK6uPc5hJoY8bt8k6Xvt9lb27I9bhNhsGBNgK9a3cPr87ewOV_zxrJG-quD7UgKKGW8SnuSyL9cLWdwFCXHfcxtgNUBIwFYccmo42O4OmZkh6gXv0_QJexPwS01Tox3RIjVV0PJKFOIIL2NQg3BPnyq9lanP2XBcPoMTdjnVZxPZA",
        "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImdFQjRlUHRVeTFDaF9yNTBCN2xlOFhKQTctLWtDbXl6ZHZ5U2VBVTIybTQifQ………..-qBPMyzG1xoszlmxs_2M2YrRv48NqeLJ8_biXOxPQnZBfwsi4R6gOA",
        "refresh_token": "RT-128-hUhVJ2J0uQgO1q1riD3LhM2fKhIIDdDN",
        "token_type": "bearer",
        "expires_in": 28800,
        "scope": ""

    The access Token is valid for 8 hours and can be reused across multiple API requests.

    2. Perform the API call using the access token

    Send the above OAuth Token in HTTP “Authorisation” Header of the API Request in the below format:

    Authorisation: {token_type} + space + {access_token}

    Also include the information of the client_id and client_secret in “X-IBM-Client-Id” and “X-IBM-Client-Secret” headers respectively:

    X-IBM-Client-Id: {your_client_id}
    X-IBM-Client-Secret: {your_client_secret}'

    The following is an example of a Get Applicant Details request:

    curl --location --request GET 'https://api.euipo.europa.eu/persons/applicants/162477' \
    --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMTEifQ.eyJzdWIiOiJsb3ZlbGxzOCIsIm9hdXRoQ2xpZW50SWQiOiJkOGFhNDJjYS04YmI0LTRjNjItODc5OS1kYjJmNTJmM2FjOGMiLCJyb2xlcyI6WyJST0xFX01ZT1BUSU9OUy1WSUVXLVBFUlNPTkFMREVUQUlMUyIsIlJPTEVf………….-eKX_cfvF1CuK6uPc5hJoY8bt8k6Xvt9lb27I9bhNhsGBNgK9a3cPr87ewOV_zxrJG-quD7UgKKGW8SnuSyL9cLWdwFCXHfcxtgNUBIwFYccmo42O4OmZkh6gXv0_QJexPwS01Tox3RIjVV0PJKFOIIL2NQg3BPnyq9lanP2XBcPoMTdjnVZxPZA' \
    --header 'X-IBM-Client-Id: {your_client_id}' \
    --header 'X-IBM-Client-Secret: {your_client_secret}'