The JAVIS API uses OAuth 2.0 Client Credentials Grant for authentication.
To interact with the API, clients must obtain an access token and include it in the Authorization header of their requests.

JAVIS supports environment-specific authentication, meaning each environment (Dev, UAT, Prod) has different base URLs and tokens.

🔑 How It Works

Obtain API credentials (Client ID & Secret).
Request an access token from the OAuth token endpoint.
Use the token in API requests via the Authorization header.
Renew the token upon expiration (OAuth 2.0 default expiry).

🔗 Token Endpoints

Each environment has its own token URL:

Environment	Token URL
Staging	`https://sandbox.api.javis.ai/oauth2/token`
User Acceptance Testing (UAT)	`https://uat.api.javis.ai/oauth2/token`
Production (Prod)	`https://api.javis.ai/oauth2/token`

🔧 Generating an Access Token

To generate a token, send a POST request to the relevant token URL, providing your Client ID and Client Secret.

📌 Request

curl --request POST \
  --url "https://sandbox.api.javis.ai/oauth2/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

📌 Response

{
  "access_token": "eyJraWQiOiJJbzlmS...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

⏳
Token Expiry: The access token expires in 1 hour (3600 seconds). You must request a new token when it expires.
🔄 Refresh Tokens: Not supported; generate a new access token when needed.

🔐 Using the Access Token

Once you obtain the token, include it in the Authorization header in all API requests:

📌 Example Request

curl --request GET \
  --url "https://sandbox.api.javis.ai/api/v1/purchase-orders" \
  --header "Authorization: Bearer YOUR_ACCESS_TOKEN"

🛠 Scopes & Permissions

JAVIS API enforces scopes to control access levels:

Scope	Description
`read`	Retrieve data (e.g., fetch purchase orders).
`write`	Modify data (e.g., create/update purchase orders).
`admin`	Full access to all operations.

📌 Requesting Specific Scopes

curl --request POST \
  --url "https://sandbox.api.javis.ai/oauth/token" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=read write"

🔒 Security Best Practices

✅ Never expose your Client Secret in public repositories or frontend applications.
✅ Use environment-specific credentials to prevent accidental data modifications in production. ✅ Implement IP whitelisting if required for added security.