Machine to Machine Token

Contents

    NOTE: This is available for staging ONLY.

    The Products and the Analyzer endpoints are usable via a machine-to-machine token. The actual client id and secret are stored in the password manager under Machine-Machine insights+ staging.

    To use:

    Step 1. Send a POST request to: https://nswers.us.auth0.com/oauth/token

    The body of the request should be:

    {
    "client_id":"(replace with value from password manager)",
    "client_secret":"(replace with value from password manager)",
    "audience":"https://dev.api.nswers.org/insights",
    "grant_type":"client_credentials"
  }

    The response will be:

    {
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZ...(long text string here representing the token)",
  "scope": "(can change, unused values)",
  "expires_in": 3600,
  "token_type": "Bearer"
}

    Ideally, the token would be temporarily stored in memory until it expires (based on expires_in (in seconds)) and then a new token request made. The endpoint to get the token is rate limited, so we need to be careful of how often it is accessed (which can be a lot if done programmatically).

    Step 2: Use to make a request:

    In order to make requests (either POST or GET), two header values must be set:

    • Authorization
      • Value: Bearer <value from acccess_token in response>
      • NOTE: Some tools automatically prepend “Bearer ” if they set this in a specific authorization configuration (like Postman or Requestly) so only the token value need be used.
    • nswers-subscription-key
      • Value: <value from Research Subscription Key in password manager>

    Currently, the available endpoints are:

    These tools allow for a post-request script to run. It is possible to configure the script that runs after request a token to set a variable with the retrieved token. For example, a Requestly script would look like this:

    Special note for Postman or Requestly

    The client_id, client_secret, and subscription key values should be stored as secrets (either globally or for that specific environment) and then referenced by variable name only.

    const data = rq.response.json();
rq.environment.set("authToken", data.access_token);

    Then, in the tab that makes data requests, the Authorization bearer token could be set referencing this variable: {{authToken}}. This way, the token would not need to be copied and pasted. in Postman, it is also possible to trigger the request to get the authorization token prior to running the current request to keep the token refreshed.

    Updated on March 11, 2026

    Related Articles

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Contents