API Authentication (REST Access)¶
This page covers REST API authentication only.
Use OAuth 2.0 Client Credentials to obtain service-to-service access tokens. No end-user login is involved.
Token Endpoint¶
POST https://prod.personifyauth.com/connect/token
Content-Type: application/x-www-form-urlencoded
Required Parameters¶
| Parameter | Required | Description |
|---|---|---|
client_id |
Yes | API client identifier provided during onboarding |
client_secret |
Yes | Secret paired with client_id |
grant_type |
Yes | Must be client_credentials |
scope |
Usually | Use idp_api unless told otherwise |
OAuth client_credentials Example¶
Note
Replace all YOUR_* values with credentials and IDs provided during onboarding.
curl --request POST 'https://prod.personifyauth.com/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=idp_api'
Example response:
{
"access_token": "<jwt_access_token>",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "idp_api"
}
Authorization Bearer Usage¶
Use the access token for API requests:
Authorization: Bearer <jwt_access_token>
X-Tenant-Id: <tenant-id>
Token Lifetime and Refresh¶
- Default token lifetime is 3600 seconds.
- Cache and reuse valid tokens.
- Request a new token after expiration.
Common Authentication Errors¶
{
"error": "invalid_client",
"error_description": "Invalid client credentials"
}
Typical causes:
- Invalid
client_idorclient_secret - Missing required form parameters
- Incorrect
grant_type
Security Notes¶
- Never expose
client_secretin browser code or mobile binaries. - Use secure secret storage.
- Use HTTPS for all token and API calls.
Keep API and user login flows separate
OIDC user login tokens should not be assumed to grant REST API access. Use this client credentials flow for REST API authorization.