Skip to main content

Overview

The Scalekit API uses OAuth 2.0 Client Credentials flow for authentication. This flow is designed for server-to-server authentication where your application needs to access the API on its own behalf.

Obtain API Credentials

Before you can authenticate, you need to obtain your API credentials from the Scalekit Dashboard:
  1. Log in to the Scalekit Dashboard
  2. Navigate to API Config section
  3. Copy your credentials:
    • Environment URL
    • Client ID
    • Client Secret
Security: Never expose your client secret in client-side code or public repositories. Store credentials securely using environment variables.

Set Environment Variables

Store your credentials as environment variables:

    Request Access Token

    Exchange your client credentials for an access token:

      Token Response

      The token endpoint returns an access token that you’ll use for subsequent API requests: 
      {
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNua181Ok4OTEyMjU2NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 86399,
  "scope": "openid"
}
      access_token
      string
      required
      The JWT access token to use in API requests. Include this in the Authorization header.
      token_type
      string
      Always Bearer for OAuth 2.0 Client Credentials flow.
      expires_in
      integer
      Number of seconds until the token expires (typically 86399 seconds / 24 hours).
      scope
      string
      OAuth scopes granted to this token.

      Make Authenticated Requests

      Include the access token in the Authorization header for all API requests:

        Token Management

        Token Expiration

        Access tokens expire after 24 hours (86399 seconds). The Scalekit SDKs automatically handle token refresh, but if you’re making raw API calls, you’ll need to:
        1. Track token expiration using the expires_in value
        2. Request a new token before the current one expires
        3. Update your Authorization header with the new token

        Token Security

        Critical Security Practices:
        • Never hard-code credentials in your source code
        • Store client secrets in secure environment variables or secret management systems
        • Never expose tokens in client-side code or public repositories
        • Rotate credentials regularly
        • Use HTTPS for all API requests to prevent token interception

        Authentication Errors

        Common authentication errors and solutions:
        Error CodeErrorSolution
        401Token emptyInclude the Authorization header with a valid Bearer token
        401Invalid credentialsVerify your client_id and client_secret are correct
        401Token expiredRequest a new access token
        403Insufficient permissionsVerify your API credentials have the necessary scopes

        Next Steps

        Authorization URL

        Generate authorization URLs for SSO flows

        Token Exchange

        Exchange authorization codes for user tokens

        Build docs developers (and LLMs) love

        Get started for freeTalk to us