# Partner API Authentication This document provides guidance on how to authenticate to our API using the OAuth 3.0 `client_credentials` grant type for server-to-server authentication. ## Overview 1. **Receive API credentials**: We will provide you with the API client ID and client secret. 2. **Request an access token**: Send an HTTP POST request to our token endpoint to request an access token. 3. **Receive and use the access token**: Use the access token to make authenticated API requests on behalf of your server. ## Step-by-Step Guide ### 1. Receive API credentials We will provide you with the following API credentials: * `client_id`: The unique identifier for your client (application) in our system. * `client_secret`: A secret key that should be kept confidential and used for authentication. ### 2. Request an access token To authenticate using the `client_credentials` grant type, send an HTTP POST request to our token endpoint ([`Get Token`](https://docs.wawex.ai/api-reference/authorization#post-oauth2-token)) with the header `Content-Type: application/x-www-form-urlencoded` and the following parameters: * `grant_type`: Set the value to `client_credentials`. * `client_id`: The client ID you received from us. * `client_secret`: The client secret you received from us. ### 3. Receive and use the access token If the request is successful, our authentication service will return a JSON object containing the access token, token type, and expiration time (in seconds). To use the access token, include it in the "Authorization" header as a Bearer token when making API requests. For example: ```scss Authorization: Bearer your_access_token ``` Replace `your_access_token` with the actual access token you received from the previous step. Keep in mind that access tokens have a limited lifetime, and you will need to request a new one once the current token expires. To avoid unnecessary API calls, you can cache the access token and refresh it when it's close to expiring. **Note**: The `client_credentials` grant type is designed for server-to-server authentication and should not be used to authenticate end-users. Keep your client\_secret confidential and secure, as it's a critical part of the authentication process. ### 4. Requestor identification All commands except the commands listed below must contain the header Requestor-ID to indicate the requestor of the command (natural person id). The logic with the validation of permissions to perform a specific command will be added in the future. * create natural person / natural persons wizards * create legal entity customer / prepare legal entity