Authentication
All Business Journeys APIs are protected. This page describes how to obtain and use credentials to call the APIs.
Client credentials
Access credentials consist of a client_id and client_secret.
These identify your integration and must be kept secret.
To obtain credentials, contact your Coolblue business representative or the Business Journeys team. We will ask for:
- Your company name and integration use case.
- Technical contact person.
- Email address and mobile phone number for secure secret delivery.
Secure secret delivery
We share secrets securely using a combination of email and SMS two‑factor authentication to the contact details you provide.
Never share your client_secret over insecure channels and avoid committing
it to source control.
OAuth 2.0 client credentials
Business Journeys APIs use OAuth 2.0 with the client credentials grant. The flow is:
- Your system sends a token request with
client_idandclient_secret. - The token endpoint returns an access token.
-
You include the token in the
Authorizationheader of each API call asBearer <access_token>.
curl -X POST \
"https://<environment-host>/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"The token endpoint URL and any additional parameters are documented in each API's Swagger UI and “Getting started” page.
Best practices
- Store
client_idandclient_secretin a secure secret store. - Rotate secrets regularly and after any suspected compromise.
- Cache access tokens and reuse them until they expire, instead of requesting a new token for every call.