Authentication
Machine-to-machine authentication with OAuth 2.0 client credentials.
The Vizit Public API uses machine-to-machine authentication. Vizit provisions credentials for your organization, you exchange those credentials for a short-lived access token, and you send that token as a Bearer token on protected /v1/** requests.
Overview
Authentication follows the OAuth 2.0 client credentials pattern:
- Vizit provides a
client_idandclient_secretfor your organization and environment. - Your backend exchanges those credentials at
POST /auth/token. - The API returns a Bearer access token.
- Your integration sends
Authorization: Bearer <access_token>on subsequent API requests.
The token endpoint does not require a Bearer token. Protected resource endpoints do.
The token request body must include organization, the Auth0 organization ID Vizit issues during onboarding, alongside client_id, client_secret, grant_type, and audience. The audience is always https://ext.vizit.com.
{
"client_id": "<your_client_id>",
"client_secret": "<your_client_secret>",
"audience": "https://ext.vizit.com",
"grant_type": "client_credentials",
"organization": "<your_organization_id>"
}Environments
Use the base URL for the environment Vizit assigned to your integration:
| Environment | Base URL |
|---|---|
| Production | https://ext.vizit.com |
Development (dev1) | https://dev1.ext.vizit.com |
Development (dev2) | https://dev2.ext.vizit.com |
Development (dev3) | https://dev3.ext.vizit.com |
Development (dev4) | https://dev4.ext.vizit.com |
Development (dev5) | https://dev5.ext.vizit.com |
Credentials are environment-specific: use production credentials only against production and dev1 credentials only against dev1.
The API audience remains https://ext.vizit.com across environments.
Token Lifetime
Access tokens are valid for the number of seconds returned in the token response's expires_in value (for example, 86400 seconds, or 24 hours).
- Cache the token until it expires instead of requesting a new one for every API call.
- If a cached token expires or you receive a
401 Unauthorized, request a fresh token and retry once.
Security Notes
- Store
client_secretonly in secure server-side systems such as your backend or a secrets manager. - Do not embed machine-to-machine credentials in browser apps, mobile apps, or any distributed client.
- Treat the
client_secretas a long-lived secret and the access token as a short-lived credential.
API Reference
The exact POST /auth/token request body, response schema, and examples live in the API reference: