The M2X Public API authenticates requests with a bearer token supplied in the Authorization header.
Contact your M2X account manager to provision API credentials for your integration — a client ID and client secret. Store them securely — never commit them to source control or expose them in client-side code.
The API uses the OAuth 2.0 client credentials flow. Exchange your client ID and secret for a short-lived access token by sending a POST to the token endpoint, then use that token to authorize your requests.
curl -X POST "$M2X_BASE_URL/openId/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$M2X_CLIENT_ID" \
-d "client_secret=$M2X_CLIENT_SECRET" \
-d "scope=read:products"List the scopes your integration needs in the scope parameter, separated by spaces — see Scopes for how to choose them. The full set of available scopes is listed in the Authorize dialog in the API reference.
A successful response returns the access token along with its type and lifetime:
{
"access_token": "<your-access-token>",
"token_type": "Bearer",
"expires_in": 600 // how long the token is valid, in seconds
}Access tokens are short-lived. Request a new one when the current token nears the end of its lifetime, or whenever a request comes back 401 Unauthorized.
Include your token as a bearer token on every request:
curl "$M2X_BASE_URL/apis/v0/products" \
-H "Authorization: Bearer $M2X_TOKEN"Each token carries a set of scopes that determine which operations it can perform. When you request a token, you specify which scopes it should include — request only the scopes your integration actually needs.
This follows the principle of least privilege — for example, requesting only read scopes produces a read-only token that can fetch data but can't create, update, or delete anything. A request that needs a scope the token doesn't hold is rejected with a 403 Forbidden.
The reference docs are an exception: when you request a token through Using "Try it", all scopes are enabled by default and you can toggle off the ones you don't want.
| Status | Meaning | What to do |
|---|---|---|
401 Unauthorized | Missing or invalid token | Check the Authorization header and token validity. |
403 Forbidden | Token lacks permission | Confirm the token's scope with your M2x account manager. |
- Return to Getting started to make your first call.