Skip to main content
Mint a short-lived access token using OAuth 2.0 Client Credentials, and use it to authenticate calls to the Oleria API. The Oleria API uses the OAuth 2.0 Client Credentials grant: you exchange a client_id and client_secret for a short-lived JWT access token, then pass that token as a Bearer credential on every API call.

Prerequisites

  • Network access from your client to the Oleria authorization server and to the Oleria API base URL for your environment.
  • A secret manager or environment-variable store to hold the client_secret outside of source control.
Treat your client_secret like a password. Never commit it to source control, paste it into chat or tickets, or embed it in client-side code. If you suspect a secret has leaked, rotate it immediately by deleting the key from Settings → Manage APIs and creating a new one.

Get your client credentials

Generate OAuth client credentials directly from the Oleria web app:
  1. Sign in to your Oleria workspace and open Settings → Manage APIs.
  2. Click Create OAuth application in the top right.
  3. Enter a descriptive name for your integration (for example, BI nightly export or internal access-graph viewer) and click Create.
  4. The new application opens in a side panel with the values you need to call the API:
    • API URL - the base URL for your API calls.
    • Authentication URL - the OAuth token endpoint for your tenant.
    • Audience - the OAuth audience to use when requesting a token.
    • Client ID - your application’s identifier.
    • Client secret - shown masked; use the eye icon to reveal it or the copy icon to copy it to your clipboard.
  5. Copy the client_id, client_secret, and Authentication URL into your secret manager. Treat the secret like a password.
Use a separate OAuth application for each integration. This makes auditing easier and limits the blast radius if any single credential is compromised.

Token endpoint

The token endpoint URL is tenant-specific and is shown in the Authentication URL field when you create an API key.

Request a token

Send a form-encoded POST to the token endpoint. The body must include grant_type, client_id, and client_secret.
A successful call returns 200 OK with a JSON body:

Use the token

Send the token as a Bearer credential in the Authorization header on every Oleria API request.

Token lifetime and reuse

  • A token is valid for expires_in seconds (typically one hour).
  • Reuse the same token for every API call until it is close to expiry. Minting a new token for every request is wasteful and can hit auth-side rate limits.
  • Cache tokens in memory inside your client and refresh them when they have fewer than 60 seconds of life remaining.
  • Treat access tokens like passwords - keep them in memory only, and avoid writing them to disk or logs.
If you use a standard OAuth 2.0 client library (for example, requests-oauthlib in Python or golang.org/x/oauth2/clientcredentials in Go), token caching and automatic refresh are handled for you.

Rotate or revoke credentials

To rotate a client_secret, delete the API key from Settings → Manage APIs and create a new one. Roll out the new client_id and client_secret to every client that uses them before deleting the old key. Plan rotations during a low-traffic window to avoid dropped requests.

Troubleshooting

Contact us

For questions about API authentication, contact us at support@oleria.com.