# Authentication The M2X Public API authenticates requests with a bearer token supplied in the `Authorization` header. ## Obtaining credentials Contact your M2X account manager to provision API credentials for your integration — a **client ID** and **client secret**. Store them securely — never commit them to source control or expose them in client-side code. ## Requesting a token The API uses the OAuth 2.0 **client credentials** flow. Exchange your client ID and secret for a short-lived access token by sending a `POST` to the token endpoint, then use that token to authorize your requests. ```bash curl -X POST "$M2X_BASE_URL/openId/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=$M2X_CLIENT_ID" \ -d "client_secret=$M2X_CLIENT_SECRET" \ -d "scope=read:products" ``` List the scopes your integration needs in the `scope` parameter, separated by spaces — see [Scopes](#scopes) for how to choose them. The full set of available scopes is listed in the **Authorize** dialog in the API reference. A successful response returns the access token along with its type and lifetime: ```json { "access_token": "", "token_type": "Bearer", "expires_in": 600 // how long the token is valid, in seconds } ``` Tokens expire Access tokens are short-lived. Request a new one when the current token nears the end of its lifetime, or whenever a request comes back `401 Unauthorized`. ## Authorizing a request Include your token as a bearer token on every request: ```bash curl "$M2X_BASE_URL/apis/v0/products" \ -H "Authorization: Bearer $M2X_TOKEN" ``` ## Scopes Each token carries a set of **scopes** that determine which operations it can perform. When you request a token, you specify which scopes it should include — request only the scopes your integration actually needs. This follows the principle of least privilege — for example, requesting only read scopes produces a **read-only** token that can fetch data but can't create, update, or delete anything. A request that needs a scope the token doesn't hold is rejected with a `403 Forbidden`. The reference docs are an exception: when you request a token through [Using "Try it"](/apis/publicapi/guides/try-it#token-scopes), all scopes are enabled by default and you can toggle off the ones you don't want. ## Handling auth errors | Status | Meaning | What to do | | --- | --- | --- | | `401 Unauthorized` | Missing or invalid token | Check the `Authorization` header and token validity. | | `403 Forbidden` | Token lacks permission | Confirm the token's scope with your M2x account manager. | ## Next steps - Return to [Getting started](/apis/publicapi/guides/getting-started) to make your first call.