# Partner API Authentication This document provides guidance on how to authenticate to our API using the OAuth 3.0 `client_credentials` grant type for server-to-server authentication. ## Overview 1. **Receive API credentials**: We will provide you with the API client ID and client secret. 2. **Request an access token**: Send an HTTP POST request to our token endpoint to request an access token. 3. **Receive and use the access token**: Use the access token to make authenticated API requests on behalf of your server. ## Step-by-Step Guide ### 1. Receive API credentials We will provide you with the following API credentials: * `client_id`: The unique identifier for your client (application) in our system. * `client_secret`: A secret key that should be kept confidential and used for authentication. ### 2. Request an access token To authenticate using the `client_credentials` grant type, send an HTTP POST request to our token endpoint ([`Get Token`](/api-reference/authorization.md#post-oauth2-token)) with the header `Content-Type: application/x-www-form-urlencoded` and the following parameters: * `grant_type`: Set the value to `client_credentials`. * `client_id`: The client ID you received from us. * `client_secret`: The client secret you received from us. ### 3. Receive and use the access token If the request is successful, our authentication service will return a JSON object containing the access token, token type, and expiration time (in seconds). To use the access token, include it in the "Authorization" header as a Bearer token when making API requests. For example: ```scss Authorization: Bearer your_access_token ``` Replace `your_access_token` with the actual access token you received from the previous step. Keep in mind that access tokens have a limited lifetime, and you will need to request a new one once the current token expires. To avoid unnecessary API calls, you can cache the access token and refresh it when it's close to expiring. **Note**: The `client_credentials` grant type is designed for server-to-server authentication and should not be used to authenticate end-users. Keep your client\_secret confidential and secure, as it's a critical part of the authentication process. ### 4. Requestor identification All commands except the commands listed below must contain the header Requestor-ID to indicate the requestor of the command (natural person id). The logic with the validation of permissions to perform a specific command will be added in the future. * create natural person / natural persons wizards * create legal entity customer / prepare legal entity --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wawex.ai/documentation/2_authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.