Authentication

Bead APIs currently use the OAuth 2 Resource-Owner Password grant. Your client submits:

• client_id and client_secret

• the service-account username and password

• the fixed scope string openid profile email

The server returns a short-lived bearer token, which you send in the Authorization header of every subsequent API request.

Token endpoints

Client IDs and scope

No other scopes are accepted at this time.

Obtain an access token

curl -X POST "https://identity.test.devs.beadpay.io/oauth/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "grant_type=password" \
     -d "client_id=bead-integrator" \
     -d "client_secret=$CLIENT_SECRET" \
     -d "username=$USER_EMAIL" \
     -d "password=$USER_PASSWORD" \
     -d "scope=openid profile email"

Successful response

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type":   "Bearer",
  "expires_in":   3600,
  "scope":        "openid profile email"
}

Reuse the token until it expires, then request a new one. There is no refresh-token step in the password-grant flow.

Authorizing API calls

curl -X GET "$BEAD_API/Locations/{id}" \
     -H "Authorization: Bearer $ACCESS_TOKEN"

A 401 Unauthorized response means the token is missing, expired, or was generated with a different client_id than the endpoint expects.

Error responses

Best practices

• Cache tokens in memory until expires_in − 60 s, then fetch a new one.

• Separate secrets – keep sandbox and production credentials in different vault entries.

• Store credentials securely – environment variables or a secret-manager vault, never in source control.

• Plan ahead – future versions will add finer-grained scopes and may migrate to client-credentials for server-to-server integrations.