The OAuth2 Client Credentials flow is ideal for server-to-server interactions, where direct user involvement is not required. In this flow, your application obtains an access token by presenting its client credentials (client ID and secret) to the authorization server. This access token is then included in your API requests to authenticate and authorize access.

Using OAuth2 Client Credentials Flow

Obtain Your Client Credentials
1. To use OAuth2, you’ll need to obtain a Client ID and Client Secret. These will be provided by our support team or generated through your developer portal.

Request an Access Token

Using the provided client credentials, your application must make a POST request to the token endpoint. See Request access token for more information.

Token Request:

HTTP Method: POST
Endpoint: /oauth2/token
Request Headers
1. Content-Type: application/x-www-form-urlencoded
2. Authorization: Basic xxxxxxxxxxxxxxxxx
  1. Combine your client_id and client_secret into a "client_id:client_secret" string.
  2. Encode the resulting string using Base64.
  3. Add the Authorization HTTP header and set the value to "Basic " plus the encoded string.
  4. Example: Authorization: Basic VmliZXNVc2VyOlBhc3N3b3JkMTIz

Request Body Parameters

Parameter	Type	Required?	Description
`grant_type`	String	Yes	Credential type. Must be `client_credentials`
`client_id`	String	Yes	Your application’s client ID
`client_secret`	String	Yes	Your application’s client secret
`scope`	String	Yes	The permissions required for this API. Must be `https://rbm.vibes.com/rbm.agents`

Retrieve and Use the Access Token
1. If the request is successful, the server will respond with an access token in JSON format. Store this token securely in your application, as it will be used in API requests to authenticate your session.
  1. Example Response
    { "access_token": "YOUR_ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600 }
    1. access_token: The token to use in API requests.
    2. token_type: The type of token, usually Bearer.
    3. expires_in: Time in seconds until the token expires.
Authenticate API Requests
1. Include the access token in the Authorization header for each API request.
2. Example: Authorization: Bearer YOUR_ACCESS_TOKEN

Token Expiry and Renewal

Access tokens have a limited lifespan (specified in the expires_in field). When your token expires, repeat the token request to obtain a new access token.