Implemented using the Client Credentials grant type, this method is tailored for server-to-server scenarios. It allows secure access to the API without user interaction, leveraging token-based authentication for enhanced security.

1. Creating a Connected App

Pre-requisites

You must have "admin" permission in the Zylo application.

Connected Apps in Zylo are used to create the permissions, client_id, and client secret needed to exchange for the OAuth2 Client Credentials access token.

In the Admin page within the Zylo application, find the "Connected Apps" tab.

Select the "Create Connected App" button to open up the "Create Connected App" modal.

Fill out the fields and click "Save" to generate your client_id and client_secret.

📘
Important Note
Your client_secret can only be viewed once. Be sure to copy it and save it into a secure place.

After creating the connected app, you can edit it at any time to update your permissions.

2. Using the `client_id` and `client_secret`

The client_id and client_secret are used to create an access token that can be used to access Zylo API resources.

The client_id (UUID) and client_secret (64-character alphanumeric string) are combined, separated by a colon, base64 encoded, and then used as a basic token to retrieve the access token (Authorization: Basic <base64 encoded {client_id}:{client_secret}>).

The Content-Type for the request must be set to application/x-www-form-url-encoded.

Below is an example using the client_id and client_secret to retrieve an access token:

curl --request POST \
  --url https://api.zylo.com/oauth2/token \
  --header "Authorization: Basic $(printf '{client_id}:{client_secret}' | base64)" \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials

The response is a JSON object that includes three values:

access_token: The OAuth2 Client Credentials access token (JWT) used to authorize against Zylo API resources.
token: The token type, always returns "bearer".
expires_on: The time (Epoch Unix Timestamp) in which the access token will expire.

3. Using the OAuth2 Client Credentials access token

The OAuth2 Access Token is included in the Authorization request header for all authenticated API resources.

Below is an example using the OAuth2 Client Credentials access token in a request:

curl --request GET \
  --url https://api.zylo.com/v2/applications \
  --header 'Authorization: Bearer {token}' \
  --header 'Content-Type: application/json'