Vizit Public APIAPI
Standards

Authentication

Machine-to-machine authentication with OAuth 2.0 client credentials.

The Vizit Public API uses machine-to-machine authentication. Vizit provisions credentials for your organization, you exchange those credentials for a short-lived access token, and you send that token as a Bearer token on protected /v1/** requests.

Overview

Authentication follows the OAuth 2.0 client credentials pattern:

  1. Vizit provides a client_id and client_secret for your organization and environment.
  2. Your backend exchanges those credentials at POST /auth/token.
  3. The API returns a Bearer access token.
  4. Your integration sends Authorization: Bearer <access_token> on subsequent API requests.

The token endpoint does not require a Bearer token. Protected resource endpoints do.

The token request body must include organization, the Auth0 organization ID Vizit issues during onboarding, alongside client_id, client_secret, grant_type, and audience. The audience is always https://ext.vizit.com.

{
  "client_id": "<your_client_id>",
  "client_secret": "<your_client_secret>",
  "audience": "https://ext.vizit.com",
  "grant_type": "client_credentials",
  "organization": "<your_organization_id>"
}

Environments

Use the base URL for the environment Vizit assigned to your integration:

EnvironmentBase URL
Productionhttps://ext.vizit.com
Development (dev1)https://dev1.ext.vizit.com
Development (dev2)https://dev2.ext.vizit.com
Development (dev3)https://dev3.ext.vizit.com
Development (dev4)https://dev4.ext.vizit.com
Development (dev5)https://dev5.ext.vizit.com

Credentials are environment-specific: use production credentials only against production and dev1 credentials only against dev1.

The API audience remains https://ext.vizit.com across environments.

Token Lifetime

Access tokens are valid for the number of seconds returned in the token response's expires_in value (for example, 86400 seconds, or 24 hours).

  • Cache the token until it expires instead of requesting a new one for every API call.
  • If a cached token expires or you receive a 401 Unauthorized, request a fresh token and retry once.

Security Notes

  • Store client_secret only in secure server-side systems such as your backend or a secrets manager.
  • Do not embed machine-to-machine credentials in browser apps, mobile apps, or any distributed client.
  • Treat the client_secret as a long-lived secret and the access token as a short-lived credential.

API Reference

The exact POST /auth/token request body, response schema, and examples live in the API reference:

On this page