Skip to main content

M2M Access (Client Credentials)

Overview

Client Credentials allow automated services, CI/CD pipelines, and backend scripts to call WEDA APIs without a human login. This tutorial covers creating a Client Credential, listing and deleting credentials, and exchanging the credential for an M2M access token (cc_access_token).

These requests are part of the 1-Org&ClientCrend collection (requests 4–7).


Prerequisites


Auto-captured Variables

VariableSet byDescription
clientIdClient-Cred CreateM2M client ID
clientSecretClient-Cred CreateM2M client secret — shown only once
clientCredentialIdClient-Cred Create / ListUsed to delete a specific credential
cc_access_tokenConnect TokenM2M bearer token for non-interactive API calls

Get an M2M Token

To obtain cc_access_token, run these two requests in order:

  1. Client-Cred Create — creates the credential and captures clientId + clientSecret
  2. Connect Token — exchanges them for cc_access_token

That's the only required sequence. The other requests (List, Delete) are management operations you can run independently at any time.


Requests in This Collection

Client-Cred Create

Creates a new Client Credential scoped to your tenant. The request Body is pre-filled (name, expiredAt, and scopes) — send it as-is, or adjust the values first: name (required), expiredAt (ISO 8601, optional), scopes (optional array).

  • API: Create Client Credential
  • Script: clientId, clientSecret, and clientCredentialId saved to environment automatically
  • Result: 201 Created — response body contains clientId and clientSecret
warning

clientSecret appears only in this response. Copy and store it securely before sending any other request. It cannot be retrieved again — if lost, you must delete this credential and create a new one.


Connect Token

Exchanges clientId and clientSecret for an M2M access token. Postman pre-fills the application/x-www-form-urlencoded body from your environment variables automatically.

  • Script: saves cc_access_token, cc_expires_in, and cc_token_type to environment
  • Result: 200 OK — response body contains an access token

Client-Cred List

Lists all Client Credentials in your tenant. Secrets are never included in list responses.

  • API: List Client Credentials
  • Script: clientCredentialId updated to the first item's ID
  • Result: 200 OK — response body contains a list of credentials

Client-Cred Delete

Deletes the credential stored in clientCredentialId.

warning

Deleting a credential revokes API access immediately for any service currently using it. There is no grace period.


Notes

cc_access_token is the M2M equivalent of accessToken. Collection 3 includes a dedicated request — Data Points Latest Get by Client Token — that uses cc_access_token instead of the user token. This means you can read telemetry data from an automated service without requiring anyone to be logged in.

For a conceptual explanation of the difference between user tokens and M2M tokens, see Authentication.


Last updated on Jul-16, 2026 | Version 1.1.0