API Quick Start
⚠️ Common Mistake: If you’re using Postman and see “Password Credentials” as a grant type option, do not select it. This causes an error. Use one of the two methods below instead.
Which Method Should I Use?
| I want to explore the API interactively | I want to connect an automation or server | I have an existing password-grant integration |
|---|---|---|
| Use Method A: Browser Login | Use Method B: Client Credentials | Use Method C: Password Grant |
| A browser window opens, you log into ScopeStack, and the token is returned automatically. | Your service account’s client ID and secret authenticate directly. No browser, no passwords. This is the recommended approach for new integrations. | You send a username and password directly. This method is supported for existing integrations but Client Credentials is preferred for new ones. |
All three methods give you the same result: an access token you can use to make API calls. Pick the one that fits your situation.
Method A: Browser Login (Authorization Code Flow)
This is the easiest way to get a token when you’re sitting at your computer testing things out.
What You Need
- Your Client ID and Client Secret (contact ScopeStack support if you don’t have these)
- A ScopeStack user account you can log into
Steps
- In Postman, go to the Authorization tab of your request or collection
- Set Auth Type to OAuth 2.0
- Configure these settings:
- Grant Type: Authorization Code
- Callback URL: Provided by the application
- Auth URL:
https://app.scopestack.io/oauth/authorize - Access Token URL:
https://app.scopestack.io/oauth/token - Client ID: Your client ID
- Client Secret: Your client secret
- Scope: read write
- Click Get New Access Token
- A browser window opens—log into ScopeStack (including SSO/MFA if your account requires it)
- After login, Postman receives the token automatically
- Click Use Token
That’s it. Your requests will now include the access token in the Authorization header.
Method B: Client Credentials (Recommended for Automation)
Use this method when connecting a server, automation platform, or AI assistant to ScopeStack. No browser, no passwords needed.
What You Need
- A service account with client credentials. See the Service Account Credentials guide for setup.
Steps
- Create a new POST request
- Set the URL to:
https://app.scopestack.io/oauth/token - Go to the Authorization tab and set it to No Auth
- Go to the Body tab
- Select x-www-form-urlencoded
- Add these key-value pairs and click Send
| Key | Value |
|---|---|
| grant_type | client_credentials |
| client_id | Your service account’s Client ID |
| client_secret | Your service account’s Client Secret |
You’ll get a JSON response with your access_token. No refresh token is needed. When the token expires, make this same request again to get a new one.
Method C: Password Grant
This method is supported for existing integrations. For new integrations, use Method B (Client Credentials) instead.
What You Need
- Your account-level Client ID and Client Secret (contact ScopeStack support if you don’t have these)
- A service account username and password (see the Building Integrations guide for setup)
Steps
- Create a new POST request
- Set the URL to:
https://app.scopestack.io/oauth/token - Go to the Authorization tab and set it to No Auth
- Go to the Body tab
- Select x-www-form-urlencoded
- Add these key-value pairs and click Send
| Key | Value |
|---|---|
| grant_type | password |
| client_id | Your client ID |
| client_secret | Your client secret |
| username | Your service account email |
| password | Your service account password |
You’ll get a JSON response with your access_token and refresh_token. Copy the access_token to use in your API requests.
Verify It Worked
Make a test call to confirm your token is working and you’re connected to the right account:
- Create a GET request to:
https://api.scopestack.io/v1/me - Add these headers:
**Authorization: **Bearer \{your_access_token\}**Accept: **application/vnd.api+json
- Click Send
You should see a 200 OK response with your user information, including the account-slug and account-id you’ll need for other API calls.
Something Went Wrong?
| Error | What to Do |
|---|---|
| invalid_grant with “redirect URI” message | You probably selected “Password Credentials” in Postman’s OAuth helper. Use Method B (direct POST) instead, or switch to Authorization Code for Method A. |
| 401 Unauthorized | Check that your access token is included in the Authorization header and hasn’t expired. |
| 403 Forbidden | Your token works, but your user doesn’t have permission for that action. Check your user’s role in ScopeStack. |
| Missing Accept header error | Add the header: Accept: application/vnd.api+json |
For more detailed troubleshooting, see the Troubleshooting API Authentication guide.