Home / Knox Cloud API Authentication / Knox OAuth 2.0 Authentication / For UEMs /

Authorization flow

Last updated February 10th, 2026

This authorization flow applies to you if you’re an UEM partner looking to integrate Knox cloud services features into your platform, and want to programmatically access your customer’s Knox cloud services on their behalf.

Make sure you have generated a client ID and client secret for your cloud app before proceeding.

Overview of the authorization flow

UEM sequence

  1. Access request — The end user initiates access to the UEM app.

  2. PKCE challenge generation — The UEM app generates a code verifier, which is a random string and transforms it into a code challenge using a hashing algorithm.

  3. Authorization code request — The UEM app sends an authorization code request to the Knox authorization server, including the client ID, the client secret, and the code challenge.

  4. User authentication — The Knox authorization server redirects the request to the Identity Provider (IdP) for user authentication.

  5. Login screen display — The IdP displays the login screen to the end user.

  6. User login — The end user logs in by providing their credentials to the IdP.

  7. User authentication by IdP — The IdP authenticates the user’s credentials.

  8. Consent screen — The IdP displays a consent screen to the end user, asking for permission to allow the UEM app to access the required resources, which are determined by scopes. For more information, see Scopes for Knox cloud services APIs.

  9. Grant consent — The end user grants consent.

  10. Authorization code issuance — The Knox authorization server issues an authorization code and sends it back to the UEM app.

  11. Access token request — The UEM app sends the authorization code and the code verifier to the Knox authorization server to request access token.

  12. Access token issuance — The Knox authorization server validates the authorization code and the code verifier. If the credentials are valid, this proves that UEM app is authorized to make calls on behalf of the end user. The Knox authorization server then issues an access token and a refresh token to the UEM app.

  13. API call with access token — The UEM app uses the access token to call the Knox cloud services APIs to access the resources. The access token must be active when you make this API call.

  14. Data response — The Knox cloud services APIs respond with the requested data.

  15. Access token refresh — When the access token expires, the UEM app requests a new access token from the Knox authorization server using the refresh token.

  16. New access token — The Knox authorization server issues a new access token to the UEM app.

What to do next

On this page

Is this page helpful?