Authentication

Pryzma uses the OAuth 2.0 client credentials grant. Your backend exchanges a client_id and client_secret for a short-lived JWT, then passes that JWT as a Bearer token on every API request.

There are no refresh tokens in the client credentials flow — re-request a token before the current one expires.

Token endpoint

POST https://pryzma-dev-client.auth.us-east-1.amazoncognito.com/oauth2/token
Content-Type: application/x-www-form-urlencoded

| Parameter | Value | |---|---| | grant_type | client_credentials | | client_id | Your credential's client ID | | client_secret | Your credential's client secret | | scope | Space-separated list of scopes |

Token lifetime: 1 hour (expires_in: 3600). Request a new token before expiry — there are no refresh tokens in this flow.

Scopes

| Scope | Description | |---|---| | https://api.pryzma.global/accounts.read | List and retrieve accounts | | https://api.pryzma.global/accounts.write | Create and update accounts | | https://api.pryzma.global/programs.read | List and retrieve programs | | https://api.pryzma.global/programs.write | Create programs |

Request only the scopes your integration needs. Credentials can hold multiple scopes; list them space-separated in the scope parameter.

Code examples

curl -X POST https://pryzma-dev-client.auth.us-east-1.amazoncognito.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=https://api.pryzma.global/accounts.write"

Passing the token

Include the token in the Authorization header of every API request:

Authorization: Bearer <access_token>

Error responses

| Error | HTTP | Cause | |---|---|---| | {"error":"invalid_token"} | 401 | Token expired, malformed, or revoked | | {"error":"missing_bearer_token"} | 401 | Authorization header absent | | {"error":"insufficient_scope"} | 403 | Token lacks required scope for the operation |