Skip to main content

Client Credentials

Mustafa Eroğlu avatar
Written by Mustafa Eroğlu
Updated over 12 months ago

Client Credentials

Client credentials are used to obtain API access tokens. Users can edit or delete client credential objects

The Client Credentials is a safe, sophisticated and modern way to authenticate APIs. With the Client Credentials the API ecosystem will be more secure and structured.

  • A maximum of ten Client Credential objects can be created in one operation. Each Client Credential can have a maximum of 10 access tokens. Thus, a maximum of 100 access tokens can be present in one operation at a time.

  • When a client credential is deleted, the related access tokens become invalid.

The user can edit or delete a client credentials object. If a client credential is deleted its related access tokens become invalid. The client credential object has the attributes below:

  • Name: Any given name to identify client credential object

  • Description: Brief information regarding the client credential’s purpose.

  • Added API: Allows you to define APIs individually for each client credential. In this field, you can add, edit, and remove specific APIs. This enables you to define customized API access permissions for each client credential.

  • Allowed IPs: The IP addresses and/or IP address blocks that the client credential will be bounded by can be set here. Any other attempt from another IP address will not be successful.

  • API List: This design allows users to view the existing API list and add or remove APIs collectively. From the 'Add API' section, you can add specific APIs, and with the 'Unselect All' option, you can clear all selected APIs. This enables you to manage API access permissions according to specific client credentials.


After saving the Client Credentials, you can access the Client ID and Client Secret information.

The ClientID and ClientSecret information is only shown once for security purposes so it is crucial for the user to make a note of these values before moving onto the next step. The access tokens refresh themselves hourly so it is imperative to setup a structure that fetches the new access token information accordingly.

Did this answer your question?