Skip to content
Last updated

Authentication

The M2X Public API authenticates requests with a bearer token supplied in the Authorization header.

Obtaining credentials

Contact your M2X account manager to provision API credentials for your integration — a client ID and client secret. Store them securely — never commit them to source control or expose them in client-side code.

Requesting a token

The API uses the OAuth 2.0 client credentials flow. Exchange your client ID and secret for a short-lived access token by sending a POST to the token endpoint, then use that token to authorize your requests.

curl -X POST "$M2X_BASE_URL/openId/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=$M2X_CLIENT_ID" \
  -d "client_secret=$M2X_CLIENT_SECRET" \
  -d "scope=read:products"

List the scopes your integration needs in the scope parameter, separated by spaces — see Scopes for how to choose them. The full set of available scopes is listed in the Authorize dialog in the API reference.

A successful response returns the access token along with its type and lifetime:

{
  "access_token": "<your-access-token>",
  "token_type": "Bearer",
  "expires_in": 600 // how long the token is valid, in seconds
}
Tokens expire

Access tokens are short-lived. Request a new one when the current token nears the end of its lifetime, or whenever a request comes back 401 Unauthorized.

Authorizing a request

Include your token as a bearer token on every request:

curl "$M2X_BASE_URL/apis/v0/products" \
  -H "Authorization: Bearer $M2X_TOKEN"

Scopes

Each token carries a set of scopes that determine which operations it can perform. When you request a token, you specify which scopes it should include — request only the scopes your integration actually needs.

This follows the principle of least privilege — for example, requesting only read scopes produces a read-only token that can fetch data but can't create, update, or delete anything. A request that needs a scope the token doesn't hold is rejected with a 403 Forbidden.

The reference docs are an exception: when you request a token through Using "Try it", all scopes are enabled by default and you can toggle off the ones you don't want.

Handling auth errors

StatusMeaningWhat to do
401 UnauthorizedMissing or invalid tokenCheck the Authorization header and token validity.
403 ForbiddenToken lacks permissionConfirm the token's scope with your M2x account manager.

Next steps