Management API Credentials
The Management API uses client credentials (client ID and client secret) for secure server-to-server authentication using the OAuth 2.0 Client Credentials flow.
Overview
Client credentials are used exclusively for server-to-server authentication to the Management API. These credentials should be treated as highly sensitive and never exposed in client-side code or public repositories.
Getting Your Credentials
Create Management API Credentials
- Log in to your Sesamy dashboard
- Navigate to Settings > API > Applications
- Click Create Application
- Select Management API as the application type
- Provide an application name
- Click Create
- Your
client_idandclient_secretwill be displayed - Copy and securely store both values
Keep Your Credentials Secret
Never commit credentials to version control or expose them in any client-side code. If your credentials are compromised, revoke them immediately and generate new ones.
Using Client Credentials - OAuth 2.0 Client Credentials Flow
Step 1: Request an Access Token
Send a POST request to the token endpoint with your credentials:
curl -X POST https://token.sesamy.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "audience=https://api.sesamy.com"Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 86400
}Step 2: Use the Access Token
Include the access token in the Authorization header of your Management API requests:
curl -X GET https://api.sesamy.com/management/v1/publishers \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"With SDKs
Since Sesamy uses Auth0-compatible authentication, you can use any Auth0-compatible SDK:
import { ManagementClient } from 'auth0';
const client = new ManagementClient({
domain: 'auth.sesamy.com',
clientId: process.env.SESAMY_CLIENT_ID,
clientSecret: process.env.SESAMY_CLIENT_SECRET,
audience: 'https://api.sesamy.com',
});
// Make API calls
const publishers = await client.getAll('/publishers');from auth0.authentication import GetToken
from auth0.management import Auth0
domain = 'auth.sesamy.com'
client_id = os.environ['SESAMY_CLIENT_ID']
client_secret = os.environ['SESAMY_CLIENT_SECRET']
get_token = GetToken(domain)
token = get_token.client_credentials(
client_id,
client_secret,
f'https://{domain}/api/v2/'
)
mgmt_api = Auth0(domain, token['access_token'])Best Practices
1. Store Securely
Use environment variables or a secrets management service:
# .env file (never commit this!)
SESAMY_CLIENT_ID=YOUR_CLIENT_ID
SESAMY_CLIENT_SECRET=YOUR_CLIENT_SECRET2. Implement Token Caching
Cache tokens to reduce token endpoint requests.
Revoking Credentials
If you suspect your credentials have been compromised:
- Go to Settings > API > Applications
- Find the application with compromised credentials
- Click the application to view details
- Click Revoke to revoke the credentials
- Generate new credentials immediately
- Update all applications using the old credentials
Troubleshooting
401 Unauthorized
If you receive a 401 Unauthorized error:
- Verify your
client_idandclient_secretare correct - Check that the credentials haven't been revoked
- Ensure you're using the correct environment (development vs. production)
- Verify the
Authorizationheader is properly formatted asBearer TOKEN
403 Forbidden
If you receive a 403 Forbidden error:
- Verify your credentials have access to the Management API
- Confirm the requested resource is available in your plan
- Check your rate limits haven't been exceeded
Invalid Client
If you receive an "invalid_client" error:
- Verify your
client_idandclient_secretare correct - Ensure neither value contains extra whitespace
- Confirm the application is active in your dashboard
Next Steps
- OAuth 2.0 - Learn about authorization flows for apps and websites
- JWT Tokens - Understanding and validating access tokens
- API Reference - Explore available Management API endpoints