Skip to main content
This page explains how to obtain an OAuth 2.0 access token using the Client Credentials flow. You’ll use this token as a Bearer token when calling the Resistant Documents API.

What you need

  • Client ID
  • Client Secret
  • The stage you’re targeting: Testing or Production
  • The cell you’re targeting (e.g., eu-1, us-1, ca-1, ap-2, ap-3)
If you’re a partner integrating for multiple tenants, make sure you’re using the correct credentials for the specific tenant/stage/cell you are operating in.

Choose your Token URL

Use the Token URL that matches your stage + cell.
StageCellAWS RegionToken URL
Prodeu-1eu-west-1
(Ireland)		https://eu.id.resistant.ai/oauth2/aus2un1hkrKhPjir4417/v1/token
Produs-1us-east-1
(N. Virginia)		https://eu.id.resistant.ai/oauth2/aus3tzuy12e5blAJi417/v1/token
Prodca-1ca-central-1
(Canada)		https://eu.id.resistant.ai/oauth2/ausd6inbxjwgeJfq4417/v1/token
Prodap-2ap-south-1
(Mumbai)		https://eu.id.resistant.ai/oauth2/aus827qzu1l953dI4417/v1/token
Prodap-3ap-southeast-2
(Sydney)		https://eu.id.resistant.ai/oauth2/ausp40dse1Q0rzDq6417/v1/token
Testeu-1eu-west-1
(Ireland)		https://eu.id.resistant.ai/oauth2/aus17c52xbW6c0yA9417/v1/token

Brief introduction to OAuth 2.0 (client credentials)

OAuth 2.0 is an authorization protocol used to obtain an access token that your application can use to call an API without sending user credentials on every request. For the Resistant Documents API, you’ll use the Client Credentials flow:
  • Your service is provisioned with a Client ID and Client Secret
  • You exchange them for a short-lived access token
  • You use that token in Authorization: Bearer <token> for API calls

Token validity and expiration

Access tokens are time-limited. You should:
  • Reuse the same token for multiple API calls until it expires
  • Request a new token only when needed (to avoid unnecessary token issuance)
You can determine token lifetime using:
  • The expires_in field returned by the token endpoint (recommended and always available)
Some tokens may also expose expiration as JWT claims (only if the token is a JWT and you choose to decode it), typically iat and exp.
Do not rely on decoding the token to drive refresh logic. Treat expires_in as the source of truth.
Example JWT payload fields (illustrative): 
{
  "iat": 1742473136,
  "exp": 1742474036
}

How to use the token

Include the access token in the Authorization header of Documents API requests: 
Authorization: Bearer <access_token>

Token request details

HTTP request
  • Method: POST
  • Headers:
    • Authorization: Basic <base64(client_id:client_secret)>
    • Content-Type: application/x-www-form-urlencoded
    • Accept: application/json
  • Body (form-urlencoded):
    • grant_type=client_credentials
    • scope=submissions.read submissions.write

Scopes

Use these scopes when requesting a token:
  • submissions.read — read analysis results
  • submissions.write — create submissions (and other write actions)

Examples

cURL

Pick the correct Token URL from the table above, then request a token: 
TOKEN_URL="https://eu.id.resistant.ai/oauth2/<auth_server_id>/v1/token"
CLIENT_ID="<your_client_id>"
CLIENT_SECRET="<your_client_secret>"

BASIC_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 | tr -d '\n')

curl -sS --request POST   --url "$TOKEN_URL"   --header "accept: application/json"   --header "authorization: Basic $BASIC_AUTH"   --header "content-type: application/x-www-form-urlencoded"   --data "grant_type=client_credentials&scope=submissions.read submissions.write"
If you prefer Postman, import the collections your Resistant AI contact provides (Documents API and Tenant Management API). Keep the stage/cell-specific Token URL aligned with the base URL you call.