All API requests require a Bearer token.
All BuyerCaddy API requests require a valid OAuth2 Bearer token.
Tokens are obtained via Client Credentials Flow from Auth0.
Every request must include:
Authorization: Bearer <access_token>1) Get a token (Client Credentials)
Token endpoint: POST https://pawannachnani.us.auth0.com/oauth/token
Body parameters (JSON):
client_id— your client idclient_secret— your client secretaudience— must behttps://api.salescaddy.aigrant_type— alwaysclient_credentials
Example Auth
curl -sS -X POST "https://pawannachnani.us.auth0.com/oauth/token" -H "Content-Type: application/json" -d '{
"client_id":"YOUR_CLIENT_ID",
"client_secret":"YOUR_CLIENT_SECRET",
"audience":"https://api.salescaddy.ai",
"grant_type":"client_credentials"
}' | jq -r '.access_token'
export TOKEN="PASTE_TOKEN_HERE"const res = await fetch("https://pawannachnani.us.auth0.com/oauth/token", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
client_id: "YOUR_CLIENT_ID",
client_secret: "YOUR_CLIENT_SECRET",
audience: "https://api.salescaddy.ai",
grant_type: "client_credentials"
})
});
const { access_token } = await res.json();
console.log(access_token);import requests
r = requests.post("https://pawannachnani.us.auth0.com/oauth/token",
json={
"client_id":"YOUR_CLIENT_ID",
"client_secret":"YOUR_CLIENT_SECRET",
"audience":"https://api.salescaddy.ai",
"grant_type":"client_credentials"
})
print(r.json()["access_token"])using System.Net.Http.Headers;
var http = new HttpClient();
var res = await http.PostAsJsonAsync(
"https://pawannachnani.us.auth0.com/oauth/token",
new {
client_id="YOUR_CLIENT_ID",
client_secret="YOUR_CLIENT_SECRET",
audience="https://api.salescaddy.ai",
grant_type="client_credentials"
});
var token = (await res.Content.ReadFromJsonAsync<Dictionary<string,object>>())["access_token"]?.ToString();
Console.WriteLine(token);2) Use the token
Pass the token in every request, via header Authorization: Bearer <token>.
Example Authorized Request
curl -sS "https://api.salescaddy.ai/api/vendors?page=0&size=5" -H "Authorization: Bearer $TOKEN"const res = await fetch("https://api.salescaddy.ai/api/vendors?page=0&size=5", {
headers: { Authorization: `Bearer ${process.env.TOKEN}` }
});
console.log(await res.json());import os, requests
r = requests.get("https://api.salescaddy.ai/api/vendors",
params={"page":0,"size":5},
headers={"Authorization": f"Bearer {os.environ['TOKEN']}"})
print(r.json())using System.Net.Http.Headers;
var http = new HttpClient();
http.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", TOKEN);
var res = await http.GetAsync("https://api.salescaddy.ai/api/vendors?page=0&size=5");
Console.WriteLine(await res.Content.ReadAsStringAsync());Sample 401 response (missing/expired token):
{
"status": 401,
"error": "Unauthorized",
"message": "Missing or invalid access token"
}3) Token lifetime & rotation
- Lifetime: typically short-lived (e.g., 1 hour). Be ready to refresh.
- Rotation: call the
/oauth/tokenendpoint again with your client credentials. - Best practice: get token at app startup and cache in memory; refresh automatically on 401.
4) Common errors
| Code | Meaning | Fix |
|---|---|---|
| 401 | Unauthorized | Refresh token; ensure Authorization: Bearer header is set. |
| 403 | Forbidden | Verify your client is allowed to access the resource. |
| 429 | Rate limited | Retry with exponential backoff. |
5) Security best practices
- Never hardcode secrets in source code; use env vars or secret managers.
- Rotate client secrets regularly.
- Scope audience strictly to
https://api.salescaddy.ai. - Don’t log tokens or secrets.