API Getting Started

This is a technical tutorial for getting started with Machine-to-Machine integration calling the VDP API. It supplements the full VDP OpenAPI spec which can be found here.
As a prerequisite for interacting with the VDP API, you must have access to a VDP organization. If you are not already a member of an organization, please sign up and create a free trial organization.

Application Creation

Once logged in to your organization, you must first create a Machine-to-Machine Application which you need in order to authenticate your code, scripts or services through the OAuth 2.0 Client Credentials flow.
Navigate to Organization -> Applications and click “+” to create a new Application.
Adding an application
Adding an application
Give the Application a suitable name and description.
Also, select suitable scopes for the Application. Scopes allow you to restrict your Application’s access, limiting the granted OAuth token’s permissions.
Application Creation Details.
Application Creation Details.
As a general security best practice, you should limit your Applications’ scopes to narrowly support your requirements. Avoid excessive scopes.
Once created, your application will be listed in the Applications panel and include Client ID and Client Secret, which you can copy into your code.
Application Client Id and Client Secret.
Application Client Id and Client Secret.
Alternatively by expanding the Application details you can copy the full environment details through “Copy .Env”.
Copy all environment details.
Copy all environment details.
CLIENT_ID and CLIENT_SECRET are secret! Treat them as you would treat your platform user password.


Using the application’s CLIENT_ID and CLIENT_SECRET you can now authenticate to obtain an access token with POST /oauth/token:
curl --location --request POST '' \
--header 'Content-Type: application/json' \
--data-raw '{
"audience": "",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"grant_type": "client_credentials"
The response looks something like this:
"access_token": "YOUR_ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 86400
By including this access token in the response header, you can now make authenticated calls to the remaining API endpoints. GET /organizations, for example, returns all metadata of the application’s organization:
curl --location --request GET '' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer YOUR_ACCESS_TOKEN'