Skip to content
SecurityPro Access API

Authentication

The SecurityPro Access API uses a client credentials flow to authenticate requests.

Applications exchange their client credentials for a temporary access token, which is then used to authorize API requests.

Obtain an access token

Section titled “Obtain an access token”

Endpoint

POST /auth/token

Request body

Section titled “Request body”
{
  "client_id": "sp_demo_client",
  "client_secret": "sp_demo_secret",
  "grant_type": "client_credentials"
}

Example request

Section titled “Example request”
Terminal window
curl -X POST https://sandbox-api.securitypro.dev/v1/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "sp_demo_client",
    "client_secret": "sp_demo_secret",
    "grant_type": "client_credentials"
  }'

Example response

Section titled “Example response”
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.demo",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "users:read users:write audit:read roles:write"
}

Use the token

Section titled “Use the token”

Include the token in the Authorization header for all requests:

Authorization: Bearer YOUR_ACCESS_TOKEN

Token expiration

Section titled “Token expiration”
  • Tokens expire after 3600 seconds
  • Expired or invalid tokens return 401 Unauthorized

Security notes

Section titled “Security notes”
  • Never expose client_secret in client-side code
  • Store credentials in environment variables
  • Rotate credentials periodically