Docs
Sign in

Authentication

Issues OAuth 2.0 access tokens for machine-to-machine API access. Exchange a client ID and client secret for a short-lived bearer token, then include it alongside your tenant ID and API key on every subsequent request. Client credentials — and the per-resource permissions you grant them — are managed in the Carriyo Dashboard.

post/oauth/token

Get access token

Exchanges a client_id and client_secret for an access token.

Use the returned access_token as a bearer token in the Authorization header on every subsequent Carriyo API call. Cache the token client-side until it expires; expires_in reports the lifetime in seconds.

Headers

NameValueRequiredDescription
Content-Typeapplication/jsonYesMedia type of the request body.

Request body

Content type: application/jsonrequired
  • client_idstringrequired
    The client ID generated in the Carriyo Dashboard
  • client_secretstringrequired
    The client secret generated in the Carriyo Dashboard

Responses

200Success response.
  • access_tokenstringrequired
    OAuth access token to use as a bearer token on subsequent API calls.
  • scopestringrequired
    Space-separated list of permissions granted to the token.
  • expires_innumberrequired
    Token lifetime in seconds. Carriyo currently returns 86400 (24 hours).
  • token_typestringrequired
    Always Bearer.
400Bad request. `client_id` or `client_secret` is missing from the request body.
  • errorstringrequired
    The error code (bad_request).
  • error_descriptionstringrequired
    Human-readable explanation.
403Error response.
  • errorstringrequired
    Error code.
  • error_descriptionstringrequired
    Human-readable explanation.

Need the full machine-readable spec? Download the OpenAPI document →