The Client Credentials Grant is the standard OAuth 2.0 flow for server-to-server API requests (RFC 6749 §4.4). This flow allows your server to authenticate directly with our API using your client credentials, without any user interaction. Here’s how it works:
Keep your client_secret secure and never expose it in client-side code. An
API key provides full access to all the data in a project. Don’t hardcode it
in code repositories and don’t share it with others.
Exchange for tokens
Exchange your client credentials for access and refresh tokens by making a request from your backend server. The client_id and client_secret must be sent in the Authorization header as Basic authentication credentials:curl -X POST https://api.nomos.energy/oauth/token \
-H "Authorization: Basic $(echo -n '${CLIENT_ID}:${CLIENT_SECRET}' | base64)" \
-d grant_type=client_credentials
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "1B4a2e77838347a7E420ce178F2E7c6912E169246c"
}
Make authenticated requests
Include the access token in the Authorization header of your API requests:curl -X GET https://api.nomos.energy/subscriptions \
-H "Authorization: Bearer ${ACCESS_TOKEN}"
Refresh expired tokens
When the access token expires, use the refresh token to obtain a new one:curl -X POST https://api.nomos.energy/oauth/token \
-H "Authorization: Basic $(echo -n '${CLIENT_ID}:${CLIENT_SECRET}' | base64)" \
-d grant_type=refresh_token \
-d refresh_token=${REFRESH_TOKEN}
