Authenticated API Usage

We use a Bearer Token to authenticate API calls.

This token is acquired using the OAuth 2.0 Client Credentials flow.

Getting a Bearer Token

📘

Only Backend to Backend Communication allowed

The authorization flow must be handled exclusively by a secure backend. For security reasons, web frontends and mobile apps must not call the API directly or expose the clientSecret.

1. Use your clientId and clientSecret (provided during onboarding) to obtain a Bearer Token.
2. This token is valid for all organizations you've been authorized for in the given environment (sandbox or production).
3. The token must be included in the Authorization header for every API request.

⚠️

Do not request a new token for every API call.

Tokens are valid for 10 to 24 hours, and the TTL is provided in the token response.
Refresh the token shortly before it expires and reuse it until then.

📘

HTTPS is Mandatory

All API communication must use HTTPS. Plain HTTP is not supported.

curl --location --request POST 'https://infinnityprodinternal.eu.auth0.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "YOUR CLIENT ID",
    "client_secret": "YOUR CLIENT SECRET",
    "audience": "api.getpliant.com/api/integration",
    "grant_type": "client_credentials"
}'

curl --location --request POST 'https://infinnitystaginginternal.eu.auth0.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "YOUR CLIENT ID",
    "client_secret": "YOUR CLIENT SECRET",
    "audience": "api.staging.v2.infinnitytest.com/api/integration",
    "grant_type": "client_credentials"
}'

{
    "access_token": "ey...0A",
    "expires_in": 86400,
    "token_type": "Bearer"
}

The token remains valid until its TTL (e.g., expires_in: 86400 = 24 hours) is reached. It will not be invalidated earlier.

Additional Resources

• Access Tokens
• Client Credentials Flow