The customer activation platform.Every interaction becomes a qualified contact. Book a demo

Authentication

Request a machine-to-machine access token and use it safely with the approved OmniLab API endpoints.

Use this article when your backend needs to call OmniLab directly. OmniLab currently uses a machine-to-machine client-credentials flow for the supported developer endpoints.

Prerequisites

  • OmniLab has provisioned a client_id, client_secret, and audience for your tenant.
  • You know the environment-specific API base URL.
  • The token request will be made from a server you control, not from browser code or a mobile app bundle.

Customer Success provides the credentials

The client_id, client_secret, audience, and environment base URLs are not self-service today. Request them through the OmniLab team and confirm which endpoints are enabled for your tenant.

Request a token

Collect the credentials for the right environment

Keep production and staging credentials separate, and store them in a secure secret manager before development starts.

Call the token endpoint

Use POST https://<api-host>/v1/oauth:token with a JSON body:

Request a token with curl
curl -X POST "https://<api-host>/v1/oauth:token"       -H "Content-Type: application/json"       -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "audience": "YOUR_AUDIENCE",
    "grant_type": "client_credentials"
  }'

Read the token response

If the request is accepted, OmniLab returns a bearer token response similar to this:

Token response
{
  "access_token": "YOUR_ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600
}

Treat expires_in as the lifetime of that token and refresh it before it expires, or after a 401 response from a supported API endpoint.

Send the token on API requests

Pass the token in the standard Authorization header:

Bearer token on an OmniLab API request
Authorization: Bearer YOUR_ACCESS_TOKEN

Security rules that matter

  • Never expose the client_secret in browser JavaScript, a kiosk page, or a mobile app bundle.
  • Keep the token exchange on your own backend, then call OmniLab server-to-server.
  • Store separate credentials per environment.
  • Rotate compromised or obsolete credentials through the OmniLab team.
  • Log request IDs and timestamps on your side, but never log full secrets or full access tokens.

Where this token is used today

The documented external use cases in this help center include:

  • booking lookup and cancellation flows
  • approved partner or tenant integrations enabled for your environment
  • future API reference coverage as the public surface expands

Base URLs and environments

Keep the token endpoint, API host, and experience domain separated per environment.

Common integration patterns

Use the token in real booking, CRM, and analytics patterns.

API Reference

See the status of the future resource-by-resource reference.

Was this helpful?

Optional comments help us improve this page for future authors and readers.

On this page

PrerequisitesRequest a tokenCollect the credentials for the right environmentCall the token endpointRead the token responseSend the token on API requestsSecurity rules that matterWhere this token is used todayRelated