client_id and client_secret for a short-lived JWT access token, then pass that token as a Bearer credential on every API call.
Prerequisites
- Network access from your client to the Oleria authorization server and to the Oleria API base URL for your environment.
- A secret manager or environment-variable store to hold the
client_secretoutside of source control.
Get your client credentials
Generate OAuth client credentials directly from the Oleria web app:- Sign in to your Oleria workspace and open Settings → Manage APIs.
- Click Create OAuth application in the top right.
- Enter a descriptive name for your integration (for example,
BI nightly exportorinternal access-graph viewer) and click Create. - The new application opens in a side panel with the values you need to call the API:
- API URL - the base URL for your API calls.
- Authentication URL - the OAuth token endpoint for your tenant.
- Audience - the OAuth audience to use when requesting a token.
- Client ID - your application’s identifier.
- Client secret - shown masked; use the eye icon to reveal it or the copy icon to copy it to your clipboard.
- Copy the
client_id,client_secret, and Authentication URL into your secret manager. Treat the secret like a password.
Use a separate OAuth application for each integration. This makes auditing easier and limits the blast radius if any single credential is compromised.
Token endpoint
The token endpoint URL is tenant-specific and is shown in the Authentication URL field when you create an API key.
Request a token
Send a form-encodedPOST to the token endpoint. The body must include grant_type, client_id, and client_secret.
200 OK with a JSON body:
Use the token
Send the token as a Bearer credential in theAuthorization header on every Oleria API request.
Token lifetime and reuse
- A token is valid for
expires_inseconds (typically one hour). - Reuse the same token for every API call until it is close to expiry. Minting a new token for every request is wasteful and can hit auth-side rate limits.
- Cache tokens in memory inside your client and refresh them when they have fewer than 60 seconds of life remaining.
- Treat access tokens like passwords - keep them in memory only, and avoid writing them to disk or logs.
Rotate or revoke credentials
To rotate aclient_secret, delete the API key from Settings → Manage APIs and create a new one. Roll out the new client_id and client_secret to every client that uses them before deleting the old key. Plan rotations during a low-traffic window to avoid dropped requests.

