All endpoints in the API are protected behind an authentication system, except for the endpoint to create an authentication token.

Create token

  • Method: POST
  • Body: grant_type=client_credentials
  • Headers:
    • Authorization: Basic base64Encoded(clientId:clientSecret)
    • Content-Type: application/x-www-form-urlencoded

We implement the OAuth spec with the client_credentials grant type (check the specification for more details).

Upon requesting access to the API, you'll receive a client_id and a client_secret, which will be used to create an access token. Those credentials will be included in the Authorization header, using Basic type, concatenated and base64 encoded, as specified in

For example, for a client_id = "CLIENT_ID" and a client_secret = "CLIENT_SECRET", the resulting string would be base64Encode("CLIENT_ID:CLIENT_SECRET") = "Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ".

The resulting token will have an expiration of one hour, upon which a new one needs to be created. The value for expires_in is displayed in seconds.

Example request

POST /api/oauth/token HTTP/1.1
Authorization: Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ
Content-Type: application/x-www-form-urlencoded



  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "Bearer",
  "expires_in": 3600


The possible error codes for this endpoint are listed in the specification:

Authenticate requests

After successfully creating an access token, it can be included in the Authorization header, using Bearer type, for authenticating requests to the API.