Request
POST /connect/token
Requests a bearer token with client_credentials.
Run this first, then call the public API.
Scope OAuth token
Response
Execution result
HTTP request
{
"status": "waiting_for_request"
}HTTP response headers
-HTTP response body
{
"status": "waiting_for_response"
}API documentation
Authentication
Exchanges OAuth client credentials for a bearer token used by every public LimitRail API call.
When to use: Run it before any other endpoint. The selected scopes define what the returned token is allowed to call.
The token is a short-lived bearer credential. Treat it as sensitive and never persist it in a mobile client.
Form fields 4 field(s)
grant_type
string
Required
OAuth2 grant type.
Allowed values: client_credentials
Impact: Only CLIENT_CREDENTIALS is supported for machine-to-machine integration.
client_credentials requests a token for the integration platform, not for an end user.
client_id
string
Required
Public identifier of the OAuth client created in Developer access.
Allowed values: lr_cdadc4d7359a489ca5a2bd3fc9cb0202
Impact: It selects the tenant and the allowed scope set.
Using a client from another environment gives you a token for that environment only.
client_secret
string
Required
Secret credential paired with the client id.
Impact: It proves that the calling system owns the OAuth client.
Rotate it if it is copied into an unsafe location.
scope
space-separated string
Required
Scopes requested for the token.
Impact: The token can call only APIs covered by these scopes.
Ask only for scopes the integration flow needs; for this console all public scopes can be selected.
Response fields 4 field(s)
access_token
string
Required
Bearer token to send in Authorization header.
Impact: Every public API endpoint validates this token and its scopes.
Authorization: Bearer eyJhbGci...
token_type
string
Required
OAuth token type.
Impact: Use it as the Authorization header prefix.
Bearer
expires_in
number
Required
Token lifetime in seconds.
Impact: When it expires, API calls return 401 and the client must request a fresh token.
3600
scope
string
Optional
Scopes granted by the authorization server.
Impact: Compare this with the scope required by the selected endpoint.
Status and errors 5 field(s)
200 OK
HTTP
Required
The request was accepted and the response body follows the endpoint contract.
Impact: For list endpoints this can still be an empty items array.
200 with items: [] means no matching data, not a transport failure.
400 Bad Request
HTTP
Optional
The input shape is invalid or a business-required field is missing.
Impact: The body uses ProblemDetails with errorCode, resourceKey, traceId and sometimes field.
If from/to are missing on runtime lists, the API returns field = From.
401 Unauthorized
HTTP
Optional
The bearer token is missing, expired or not valid for this API host.
Impact: Request a new token from /connect/token and retry with Authorization: Bearer <token>.
Do not send client_secret to public API endpoints; it is only used at the token endpoint.
403 Forbidden
HTTP
Optional
The token is valid but does not contain the required scope.
Impact: Select the scope shown in the request header area, get a new token, then retry.
Calling /v1/usage/commit needs limitrail.usage.write.
404 Not Found
HTTP
Optional
The requested id or external account reference does not exist for the current tenant.
Impact: The tenant is resolved from the OAuth client, so data from another tenant is not visible.
An existing account in another tenant still returns 404.