Machine to Machine Applications
Applications enable access to resources through the API. Applications are limited to a bound set of scopes, and enable 0Auth 2.0 access token grants through the Client Credentials flow.
Last updated
Applications enable access to resources through the API. Applications are limited to a bound set of scopes, and enable 0Auth 2.0 access token grants through the Client Credentials flow.
Last updated
Machine to machine Applications are used for running process automation and systems integration. Common usage includes:
All API interaction
Postman scripts
Systems integration and process automation
Once created, an Application can grant access tokens through the OAuth 2.0 Client Credentials authentication flow. The access token allows access to the API, limited by the scopes defined on the Application.
From the Integrations navigation pane menu, select Applications.
Click New Application.
On the New Application page, enter a suitable Name and Description. As your Organization can have multiple Applications, it is important that they can be clearly told apart; the Name and Description should make it clear what the Application will be used for.
Name and Description can be edited later.
Scopes are used to manage which API resources the Application will be permitted to access. As a general security rule, you should aim to minimize the amount of scopes for your Applications, narrowing permissions according to the tasks to be performed.
Note that scopes can only be selected during Application creation. Once created, scopes are fixed. If you need to change the scopes, you must create a new Application.
Click the Create Application button to finish.
Once the Application is created, you will be presented with its OAuth 2.0 Client Credentials.
As a security best practice, these are only presented this one time, so please take care to capture and store them accordingly.
Important!
Client Credentials should be kept secretly! Treat them with the same level of secrecy as you would treat your platform user password.
For convenience, the Client Credentials are available in several ways:
As the "raw" client id and client secret. You can use the copy-icons for copying these individually.
As a downloadable .env environment file, which also includes a full set of API variables.
As a downloadable Postman environment file, which can be imported directly into Postman.
Access token grants are request on the endpoint documented here on the Transmute platform OpenAPI Specification. Using the Client Credential CLIENT_ID and CLIENT_SECRET you can now authenticate to obtain an access token with POST /oauth/token:
The response looks something like this:
By including this access token in the response header, you can now make authenticated calls to the remaining API endpoints. GET /credentials, for example, returns all of the application’s credentials:
Note that you can also authenticate directly through OpenAPI Specification, which enables API calls from the OAS's "Try" buttons.
Postman also has a built in API authentication feature which can be enabled simply by importing the Application's Postman environment file.
Your new Application is now listed on the Applications page.
From its ellipsis menu, choose view.
The Application details page allows you to:
Update the Name and Description metadata.
See the Application's scopes (but not change them).
If Name or Description has been changed, click Update to save the changes.
Finally, an Application can be deleted directly from the ellipsis menu. Client Credentials from a deleted Application can no longer be used for authentication.
