Skip to main content

OAuth - Client Credentials

📝 The Client Credentials flow is enabled by an admin for private application use only, cannot be allowlisted and assumes the permissions of the admin who created the application.

One of the OAuth flows Salesloft allows is the Client Credentials flow. Client Credentials utilizes a server to server flow and does not require each end user to authenticate themselves to gain access. This flow is recommended for applications completing background tasks, system-wide integrations or when a service needs to access data on behalf of itself, and not a specific user.

OAuth is the preferred authentication method for partners. Partner Applications submitted using API Keys will not be approved.

Create an OAuth App - Client Credentials

You can create apps via Salesloft AccountYour ApplicationsOAuth ApplicationsCreate New.

  1. Upload your Logo - SVGs with a 1:1 aspect ratio
  2. Fill out the blank fields -
    • Name - Name of your App
    • Description - Description of your app shown to the user turning on your integration
  3. Application Type - Will this app be published as a public Frontend Integration?
    • No - this application will be used be used for internal purposes only
  4. Grant Type - What grant type will this application be using?
    • Client Credentials - recommended for automated backend processes or server-to-server communication for private applications
  5. Scopes - Select the scopes relevant to your application by clicking the checkmark next to the scope.
    • Scopes - relates to the data and actions an application can perform
    • Privileged Scopes - scopes that can access sensitive data
  1. Click Submit
  2. You will now see a screen with your:
    • Description
    • Application Id(Client Id)
    • Integration Id
    • Secret(Client Secret)
    • Application Type
    • Grant Type
    • Scopes

Obtain an Access Token

You can obtain an Access Token by either submitting a POST request or using Base64 Encoding in our Headers. This section will discuss both.

Option 1

Open Postman and setup a POST to https://accounts.salesloft.com/oauth/token with the following parameters:

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "grant_type": "client_credentials",
  "scope": "SCOPES_ASSOCIATED_WITH_YOUR_APP"
}

For each scope passed via the scope parameter you will need to place a space in between each scope name passed. For example:

"scope": accounts:delete accounts:read

Here is a list of all general available scopes associated with your app after hitting select all when creating a new application:


accounts:delete accounts:read accounts:write opportunities:delete opportunities:read opportunities:write people:delete people:read people:write crm:read external_id:delete external_id:read external_id:write external_id_configuration:delete external_id_configuration:read external_id_configuration:write activities:read activities:write calls:read calls:write conversations:read conversations:write dialer_recordings:read emails:read emails:write meetings:read meetings:write notifications:write audit_reports:read audit_reports:write groups:write team:delete team:read team:write cadences:delete cadences:read cadences:write notes:delete notes:read notes:write signal_registrations:delete signal_registrations:read signal_registrations:write signals:write tasks:delete tasks:read tasks:write workflow:delete workflow:read workflow:write

List of Privileged Scopes:

crm_id_account:write crm_id_person:write data_control:read data_control:write email_contents:read external_emails:write

Option 2

In Postman, under the Headers section you can Base64 encode your client id and secret and pass it as the following:

{
  "authorization": "Basic + YOUR_BASE64_ENCODING"
}

It should look similar to this after encoding:

{
  "authorization": "Basic AB4..."
}

By doing so, you no longer need to send your client id and secret as body parameters.

Upon submission by either option, you will get a JSON response back containing information regarding your access token. Note that expires_in is seconds.

{
  "access_token": "v2...",
  "token_type": "Bearer",
  "expires_in": 7200,
  "scope": "accounts:delete accounts:read accounts:write opportunities:delete opportunities:read opportunities:write people:delete people:read people:write crm:read external_id:delete external_id:read external_id:write external_id_configuration:delete external_id_configuration:read external_id_configuration:write activities:read activities:write calls:read calls:write conversations:read conversations:write dialer_recordings:read emails:read emails:write meetings:read meetings:write notifications:write audit_reports:read audit_reports:write groups:write team:delete team:read team:write cadences:delete cadences:read cadences:write notes:delete notes:read notes:write signal_registrations:delete signal_registrations:read signal_registrations:write signals:write tasks:delete tasks:read tasks:write workflow:delete workflow:read workflow:write",
  "created_at": 1744315928
}

Update an Access Token

Every two hours (7200 seconds) your access token will need to be updated. You can repeat the steps in the Obtain an Access Token section.

Unlike the OAuth authorization code flow, you will not receive a refresh_token

Authorizing Requests

All requests that go to the Salesloft API will need the Authorization Type header set to:

{
  "Bearer": "YOUR_ACCESS_TOKEN"
}

Troubleshooting

If you receive this error:

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request"
}
  • Check that the request parameters are in the body and not the header
  • Make sure the Headers include a “Content-Type”:”application/json”
  • If you are using Postman, double check that the body section is set to x-www-form-urlencoded