Authentication

The Breeze API uses OAuth 2.0 client credentials for machine-to-machine authentication.

Before you start

You need a client_id and client_secret. A Breeze administrator creates these — see OAuth Client Management.

Tokens are environment-specific — a test token does not work in production. See Environments for the base URLs. Examples below use the test environment.

Requesting a token

curl -X POST https://system.upnxt.no/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "oauth_abc123",
    "client_secret": "s3cr3t_xyz789"
  }'

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}

expires_in is seconds until expiry. Default is 3600 (1 hour).

Using the token

Add the token to every GraphQL request:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Token caching

Do not request a new token on every API call. Cache the token and request a new one ~5 minutes before expiry.

if token is null or (now + 5 minutes) > token.expires_at:
    token = request_new_token()
return token.access_token

Handling token expiry

An expired token returns:

{
  "errors": [
    {
      "message": "Token validation failed",
      "extensions": { "code": "UNAUTHENTICATED" }
    }
  ]
}

Request a new token and retry the request.

Rate limiting

The token endpoint allows 100 requests per hour per client_id. Token caching is the primary mitigation. See Rate limiting for GraphQL API limits and how to handle 429 responses.

Error reference

Token endpoint errors use the OAuth 2.0 format — a JSON object with error and error_description fields, not the GraphQL errors array.

Code	Cause	Resolution
`invalid_client`	Wrong `client_id`, wrong `client_secret`, or expired client	Check `error_description` for details; if the client has expired, ask an administrator to rotate the secret
`invalid_request`	Missing required parameters	Include `grant_type`, `client_id`, and `client_secret`
`unsupported_grant_type`	Only `client_credentials` is supported	Use `"grant_type": "client_credentials"`

For GraphQL error codes (UNAUTHENTICATED, FORBIDDEN, and others), see Error handling. For 429 responses and token endpoint limits, see Rate limiting.

Security

Store client_secret in an environment variable or secret manager. Never commit it to version control.
Rotate secrets every 90 days.
Never log tokens or secrets.

Before you start​

Requesting a token​

Using the token​

Token caching​

Handling token expiry​

Rate limiting​

Error reference​

Security​