M2M Access (Client Credentials)
Overview
Client Credentials allow automated services, CI/CD pipelines, and backend scripts to call WEDA APIs
without a human login. This tutorial covers creating a Client Credential, listing and deleting
credentials, and exchanging the credential for an M2M access token (cc_access_token).
These requests are part of the 1-Org&ClientCrend collection (requests 4–7).
Prerequisites
- Completed Get Access Token —
accessTokenmust be set in your environment.
Auto-captured Variables
| Variable | Set by | Description |
|---|---|---|
clientId | Client-Cred Create | M2M client ID |
clientSecret | Client-Cred Create | M2M client secret — shown only once |
clientCredentialId | Client-Cred Create / List | Used to delete a specific credential |
cc_access_token | Connect Token | M2M bearer token for non-interactive API calls |
Get an M2M Token
To obtain cc_access_token, run these two requests in order:
- Client-Cred Create — creates the credential and captures
clientId+clientSecret - Connect Token — exchanges them for
cc_access_token
That's the only required sequence. The other requests (List, Delete) are management operations you can run independently at any time.
Requests in This Collection
Client-Cred Create
Creates a new Client Credential scoped to your tenant. The request Body is pre-filled (name, expiredAt, and scopes) — send it as-is, or adjust the values first: name (required), expiredAt (ISO 8601, optional), scopes (optional array).
- API: Create Client Credential
- Script:
clientId,clientSecret, andclientCredentialIdsaved to environment automatically - Result:
201 Created— response body containsclientIdandclientSecret
clientSecret appears only in this response. Copy and store it securely before sending any
other request. It cannot be retrieved again — if lost, you must delete this credential and create a
new one.
Connect Token
Exchanges clientId and clientSecret for an M2M access token. Postman pre-fills the application/x-www-form-urlencoded body from your environment variables automatically.
- Script: saves
cc_access_token,cc_expires_in, andcc_token_typeto environment - Result:
200 OK— response body contains an access token
Client-Cred List
Lists all Client Credentials in your tenant. Secrets are never included in list responses.
- API: List Client Credentials
- Script:
clientCredentialIdupdated to the first item's ID - Result:
200 OK— response body contains a list of credentials
Client-Cred Delete
Deletes the credential stored in clientCredentialId.
- API: Delete Client Credential
- Result:
200 OKor204 No Content
Deleting a credential revokes API access immediately for any service currently using it. There is no grace period.
Notes
cc_access_token is the M2M equivalent of accessToken. Collection 3 includes a dedicated
request — Data Points Latest Get by Client Token — that uses cc_access_token instead of the
user token. This means you can read telemetry data from an automated service without requiring
anyone to be logged in.
For a conceptual explanation of the difference between user tokens and M2M tokens, see Authentication.
Related
- For API details and developer reference: Authentication — M2M Token