Authentication

The Inside Labs API uses OAuth 2.0 Client Credentials for machine-to-machine authentication. You exchange a client_id and client_secret for a short-lived access token, then send that token on every API request.

1. Get credentials

Before you can call the API you need three things from the Inside Labs team:

client_id
client_secret
tenant — the destination/tenant identifier you'll integrate against

Credentials are issued per tenant and per environment (development / production). Treat the client_secret like a password — never commit it, never ship it to a browser, never log it.

2. Request an access token

POST to the Cognito token endpoint with HTTP Basic auth (client_id : client_secret) and a form-encoded body:

POST https://api.insidelabs.io/auth/token HTTP/1.1
Body:
{
    "clientId": "<client_id>",
    "clientSecret": "<client_secret>",
    "tenant": "<tenant>"
}

The response contains an access_token and an expires_in (seconds). Cache the token until shortly before it expires and reuse it across requests — don't fetch a new token for every call.

3. Call the API

Send the token as a Bearer token, and include the tenant header:

GET https://api.insidelabs.io/engagement/campaigns HTTP/1.1
Authorization: Bearer <access-token>
x-omni-tenant: <your-tenant>

Token tips

Cache & reuse tokens until just before expires_in elapses.
One token per tenant — if you integrate with multiple tenants, you'll have one client (and one cached token) per tenant.
401 Unauthorized usually means the token expired — fetch a new one and retry once.
403 Forbidden means the token is valid but lacks the scope/permission for that endpoint — contact us to widen your scopes.

1. Get credentials​

2. Request an access token​

3. Call the API​

Token tips​

1. Get credentials

2. Request an access token

3. Call the API

Token tips