Authentication

TRESO2 API uses bearer token authentication via OpenID Connect (OAuth2). The OAuth2 flow differs between API versions — make sure you use the one matching the API version you integrate against.

V2 — OAuth2 Password Grant

V2 uses the OAuth2 Password Grant flow with a public client. Authentication requires a dedicated API user with the api realm role — standard TRESO2 web UI accounts cannot be used to obtain an API token.

• Public client — no client secret required
• API user must have the api realm role; web UI credentials do not work for API access
• Tokens have a short lifetime and must be refreshed regularly

For token endpoints, code examples and interactive testing, see the Authentication section in the V2 documentation.

For detailed OAuth2 documentation, see: OAuth 2.0 Password Grant

V3 — OAuth2 Client Credentials

V3 switches to the OAuth2 Client Credentials flow, intended for machine-to-machine integrations only. Username/password login is not supported for API v3.

• Exchange a client_id / client_secret pair for a token from your backend, CLI or integration tool — never from a browser
• The client_secret is confidential and must not be exposed in a frontend or entered in Scalar
• Scalar only accepts the resulting access_token; do not enter client_id/client_secret in the UI
• The access token must carry an invoicehub-clientId claim used as the machine principal
• A valid OAuth/Keycloak token may still be rejected at the business level if no permissions exist for userId = invoicehub-clientId

For token endpoints, code examples and the full set of v3 token checks, see the Authentication section in the V3 documentation.

For detailed OAuth2 documentation, see: OAuth 2.0 Client Credentials