Skip to main content



Bold Penguin supports OAuth2 using client credentials type grant requests. Most service requests to the Bold Penguin API must be authorized using ephemeral access tokens from the authentication service. The static tokens used for dispositioning requests are the only exception.

Access tokens are valid for 12 hours.


Your account manager will provide you with a unique Client ID and Client Secret per Bold Penguin environment.





You submit an OAuth2 client credentials grant and receive an access_token in response. This is your bearer token for subsequent API requests.

You must submit your credentials as a basic authentication header. Combine your Client ID and Client Secret separated by a colon, (client_id:client_secret), then apply Base64 encoding.

Add the basic authentication header to your request:

authorization: Basic XXxxb2VmOTdBTkxjN1pHZHNDQ0ZXazFyTjZZWWc1c0o6TXFSTVJSVzdRUGdXdllXYTRva2XxxXF2MXBkM1hhYkRmUFRkQkdFa1pQR2p2Y0pObUttd29kNGd3ZExGS3lDbx==



Request Syntax

POST /auth/token?grant_type=client_credentials
authorization: Basic <base64-credentials>

Request Parameters

Query String Parameters

  • grant_type
    • Must be client_credentials
    • Type: String
    • Required: Yes


  • authorization: Basic <base64-credentials>

Response Syntax

"access_token": <string>,
"token_type": "bearer",
"expires_in": <integer>,
"refresh_token": <string>,
"scope": <empty string>,
"uid": <string>,
"info": {
"name": <string>,
"email": null,
"first_name": <string>,
"last_name": <string>

Response Elements

  • access_token
    • The bearer token to provide for subsequent API requests
    • Type: String
  • token_type
    • Type: String
    • This will always be bearer
  • expires_in
    • Expiration for this token is 12 hours set in seconds (43200)
    • Type: Integer
  • refresh_token
    • Refresh tokens are not currently enabled
    • Type: String
  • scope
    • Access scope for this token (currently an empty string)
  • uid
    • Unique ID for this token
    • Type: String
  • info
    • Service client details for your account(often "Tenant Integrations Service Client")
    • Type: JSON

Status Codes

  • 200 Success
  • 401 Unauthorized (verify client credentials and authorization header)


Example Request

curl --request POST \
--url '' \
--header 'authorization: Basic XXxxb2VmOTdBTkxjN1pHZHNDQ0ZXazFyTjZZWWc1c0o6TXFSTVJSVzdRUGdXdllXYTRva2XxxXF2MXBkM1hhYkRmUFRkQkdFa1pQR2p2Y0pObUttd29kNGd3ZExGS3lDbx==' \

Example Response

"access_token": "7UkvNeAabPduAvyvu4XEqSCC",
"token_type": "bearer",
"expires_in": 43200,
"refresh_token": "wYwtq6NGie5paAR2XHK6uF1f",
"scope": "",
"uid": "f00718ea-3c64-45f1-99de-2ac34cea139a",
"info": {
"name": "Tenant Integrations Service Client",
"email": null,
"first_name": "Tenant Integrations",
"last_name": "Service Client"
"extra": {
"raw_info": {
"user_id": "8de85azr-ec20-4f2c-b8b4-0ae3c067c73b",
"tenant_id": "8823a91f-54f9-4866-aec7-67a5f1062be1",
"tenant_name": "Chuck's Agency",
"primary_user_group_id": "a621af94-f454-4ffc-b56c-08971630b622",
"user_group_ids": [
"name": "Tenant Integrations Service Client",
"email": null,
"first_name": "Tenant Integrations",
"last_name": "Service Client",
"permissions": [
"auth_uid": null,
"completed_steps": []