Skip to main content

Server-to-Server Authentication

The Partner API uses the OAuth2 Client Credentials flow for secure server-to-server communication.
For server-to-server communication, this API uses the OAuth2 Client Credentials flow. Please feel free to contact your account manager to receive your initial admin username and password.

Prerequisites

1

Receive Initial Credentials

Contact your account manager to receive your initial admin username and password.
2

Login to Platform

Log in at https://app.podero.com/accounts/login/ (or use your sandbox URL subdomain).
Please make sure you change your password after your first login.

Register a New Application

1

Access Application Portal

Visit https://app.podero.com/oauth2/applications/register/ (or use your sandbox URL subdomain) to create a new client application.
2

Configure Application

Fill in the application details:
  • Name: Your application name
  • Client Type: Select Confidential
  • Authorization Grant Type: Select Client Credentials
  • Redirect URIs: Not necessary (leave empty)
3

Save Credentials Immediately

Immediately copy the client ID and the client secret and keep them somewhere safe. You will not be able to retrieve your client secret later.
Save the application after copying your credentials.
OAuth Application Registration

Generating an Access Token

To get an access token and to be able to use the API, you need to make a request to the token endpoint with a Basic Auth header using your base64 encoded client ID and secret.
You may need to use a base64 encoder tool to get the encoded string. For example, DevToys is a useful tool for this purpose.

Request

curl -X POST 'https://app.podero.com/oauth2/token/' \
  -H 'Authorization: Basic base64_encode(client_id:client_secret)' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type": "client_credentials"
  }'

Response

You will receive a response containing an access token, as well as the expiration time. 
{
  "access_token": "PaZDOD5UwzbGOFsQr34LQ7JUYOj3yK",
  "expires_in": 36000,
  "token_type": "Bearer",
  "scope": "read write"
}
access_token
string
required
Bearer token for API authentication. Use this in the Authorization header for all subsequent API requests.
expires_in
integer
required
Token lifetime in seconds. Typically 36000 seconds (10 hours).
token_type
string
required
The type of token. Always “Bearer” for this flow.
scope
string
required
The scopes granted to this token. Typically “read write” for full access.
Make sure you store these credentials securely and refresh the token in a timely manner to avoid losing access to the API.

Using the Access Token

For subsequent requests to the API, include the access token in the Authorization header: 
Authorization: Bearer {access_token}

Example API Request

curl -X GET \
  'https://app.podero.com/api/partners/v2.0/org/{org_id}/users' \
  -H 'Authorization: Bearer {access_token}' \
  -H 'Accept: application/json'

Refreshing the Token

Refreshing the token can be done with the same request you used to get the initial token. There is no refresh token - simply request a new access token using your client credentials.
When your token is about to expire, make the same POST request to /oauth2/token/ with your client credentials to obtain a new access token.

Best Practices

  • Store client secrets in environment variables or secure vaults
  • Never commit credentials to source control
  • Use different credentials for each environment (production, sandbox)
  • Implement automatic token refresh before expiration
  • Handle 401 Unauthorized responses by refreshing the token
  • Cache tokens to avoid unnecessary token requests
  • Implement retry logic for transient failures
  • Log authentication errors for debugging
  • Monitor token expiration and refresh patterns

Next Steps

Getting Started

Follow our step-by-step tutorial

User Journeys

Explore common workflows