API Clients and Credentials
An API client represents one machine-to-machine integration.
Each API client has a clientId and clientSecret. Use these credentials to call Create Access Token, then use the returned Bearer token to call REST APIs.
Client Fields
| Field | Description |
|---|---|
| Client name | Human-readable name used in the developer console |
clientId | Client identifier used to obtain access tokens |
clientSecret | Secret value used to request access tokens |
| Scopes | Permissions granted to this API client |
| Status | Whether the API client is active or disabled |
Credential Rules
clientSecretis shown only when it is created or rotated- After leaving the creation or rotation page,
clientSecretis not shown again in plain text - Store
clientSecretonly in server-side secret storage - Do not store
clientSecretin browser code, mobile apps, public repositories, or screenshots - Use one API client per integration or environment when possible
- Disable unused API clients
Token Usage
API clients do not call device APIs directly with clientSecret.
They first exchange credentials for an access token:
http
POST /wlte/v1/auth/tokenThen they call REST APIs with:
http
Authorization: Bearer {accessToken}Rotation Guidance
Credential rotation should be planned so that service downtime is avoided.
Recommended process:
- Create or rotate to a new
clientSecret. - Deploy the new secret to your server-side integration.
- Verify token creation and one read-only API call.
- Stop using the old secret.
- Disable or revoke the old secret if the console supports it.
If a credential may have been exposed, disable it immediately and create a new one.