API clients and tokens
Quick answer
Create API clients in Settings → API access. Each client has its own scopes and generates a client secret (shown once). Exchange the client ID and secret for a short-lived Bearer token at POST /api/v1/oauth/token. Tokens expire after 1 hour; request a new one as needed.
On this page
Creating an API client
Open Settings → API access
From your dashboard, go to Settings and click the API access tab.
Click Add client
Give the client a descriptive name (for example, 'My CRM sync' or 'Zapier').
Choose scopes
Select only the scopes your integration needs. Fewer scopes means less exposure if a token is compromised.
Save and copy the secret
Click Save. The client secret is shown exactly once — copy it immediately and store it securely (a password manager or secrets vault). It cannot be retrieved again.
Getting an access token
Use the OAuth 2.0 client_credentials grant. Send your client_id and client_secret either as HTTP Basic auth (recommended) or in the JSON body.
POST to /api/v1/oauth/token
Include grant_type: client_credentials. Optionally include scope as a space-delimited string to request a subset of the client's allowed scopes. Omit scope to receive all allowed scopes.
Read the response
You receive { access_token, token_type: "Bearer", expires_in: 3600, scope }. The token is valid for 1 hour.
Attach to requests
Add Authorization: Bearer <access_token> to every API request header.
Refresh when expired
When a request returns 401 invalid_token, request a new token using the same client credentials.
Example token request
Using HTTP Basic auth (client_id as username, client_secret as password): curl -s -X POST https://scramblesync.com/api/v1/oauth/token \ -u "$CLIENT_ID:$CLIENT_SECRET" \ -H "Content-Type: application/json" \ -d '{"grant_type":"client_credentials"}' Response: { "access_token": "sat_…", "token_type": "Bearer", "expires_in": 3600, "scope": "contacts:read tournaments:read" }
Managing and revoking clients
From Settings → API access you can see all your clients, which scopes they have, and when they were last used. To revoke all tokens for a client, delete the client — all outstanding tokens for it become immediately invalid.
Security best practices
- Store client secrets in a secrets manager or environment variable — never in source code or client-side JavaScript.
- Grant only the scopes your integration actually uses.
- Use one client per integration so you can revoke access individually if needed.
- Rotate secrets periodically by deleting and recreating the client.
- Never log or expose the client secret or access token in error messages or analytics.
Frequently asked questions
How long do access tokens last?
Access tokens expire after 1 hour (3600 seconds). Request a new token from /api/v1/oauth/token using your client credentials when needed.
Can I have multiple clients?
Yes. You can create as many clients as you need. Each client has its own scopes and secret, so different integrations can be managed and revoked independently.
What happens if I lose the client secret?
The secret cannot be retrieved after creation. Delete the client and create a new one to get a new secret.
Can I request only some of my client's scopes in a token?
Yes. Pass a space-delimited scope parameter when requesting a token (for example, scope=contacts:read). The token will carry only those scopes (they must be a subset of the client's allowed scopes). Omit scope to receive all allowed scopes.