Start your Client Credentials flow
Create and submit your app. If you are looking to be listed on the Vibe marketplace, our approval period is 5-10 business day turnaround.
Start your Client Credentials flow
Use this flow for server-to-server integrations with no end user — cron jobs, exports, and backends. Your application authenticates as itself using its client_id and client_secret, with no user interaction.
If a Vibe user is signing into your app and granting your app access to their accounts, use the Authorization Code flow instead — see Start your OAuth flow.
If your platform does not support OAuth redirects, you can still integrate using Client Credentials: your app acts as a template, and advertisers who install it from the Marketplace generate their own credentials from it.
App information
Fill in the App information tab:
| Field | Required | Description |
|---|---|---|
| App name | Yes | Displayed to users when they authorize your app |
| App category | Yes | Category used for marketplace listing |
| Short description | Yes | One-liner shown on the marketplace listing |
| App logo | Yes (for marketplace) | Square image identifying your app |
| Description | No | Full description visible to Vibe users |
| How it works | No | Explanation of what your app does with Vibe data |
| App screenshots | No | Images shown on the marketplace listing |
Authentication
On the Authentication tab, select API Key as the authentication method, then configure:
Scopes
Select only the permissions your integration needs.
Support
Fill in the Support tab. At least one support contact method is required to publish your app to the Marketplace.
| Field | Required for Marketplace | Description |
|---|---|---|
| Company domain | No | Your company's website |
| Support email | Yes | Contact email shown to users after installation |
| Documentation URL | No | Link to your integration docs |
| Support website URL | No | Link to your support portal |
Publishing
Your app starts in Draft status. Once all required fields are filled in, click Publish to submit it for review and make it available in the Marketplace.
Getting your Client Credentials
Once your app has been created, go to the Marketplace to generate your Client Credentials.
This gives you the client_id and client_secret used in the token request below.
Keep the client_secret secret — never expose it in client-side code or version control.
Public apps
Once your app is public, advertisers can install it from the Marketplace and generate their own client credentials. Your app acts as a template: the credentials an advertiser generates take all the scopes you selected when configuring the app. Choose your app's scopes accordingly — every installation is granted exactly that set of permissions on the advertiser's account.
This also makes Client Credentials the integration path for partners whose platform does not support OAuth redirects: instead of sending users through the Authorization Code flow, each advertiser installs the app and provides the generated credentials to the partner.
Base URL
All OAuth endpoints are available at:
https://api.vibe.coDeveloper note — Pick the right grant
For server-to-server integrations with no end user, such as cron jobs, exports, and backends, use
client_credentials.When a Vibe user is signing into your app and granting your app access to their accounts, use
authorization_code.Don't use
client_credentialsto act on a user's account.
Client Credentials Flow
Use this flow when your application needs access to its own resources, with no user involved. There is no redirect and no consent screen — your server requests a token directly from the token endpoint.
Step 1 — Request a token
Make a server-side POST request to the token endpoint. Never make this request from client-side code, as it requires your client secret.
POST https://api.vibe.co/oauth2/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <BASE64(YOUR_CLIENT_ID:YOUR_CLIENT_SECRET)>
grant_type=client_credentials
&scope=campaigns:readThe Authorization header value is Basic followed by the Base64 encoding of <client_id>:<client_secret>.
| Parameter | Required | Description |
|---|---|---|
grant_type | Yes | Must be client_credentials |
scope | No | Space-separated list of scopes to request (e.g. campaigns:read). If omitted, the token is issued with all scopes available to your client. |
Example request:
curl -sX POST https://api.vibe.co/oauth2/token \
-u "$CLIENT_ID:$CLIENT_SECRET" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "scope=campaigns:read"Example response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}The Client Credentials flow does not issue a refresh_token. The access token expires after 1 hour.
Step 2 — Call the API
Include the access token as a Bearer token in the Authorization header of every API request:
GET https://api.vibe.co/*
Authorization: Bearer <ACCESS_TOKEN>Token Response Reference
| Field | Type | Description |
|---|---|---|
access_token | string | JWT token to use in API requests. TTL 1 hour. |
token_type | string | Always Bearer |
expires_in | integer | Access token lifetime in seconds |
Access tokens are JWTs. You can inspect the payload by Base64-decoding the middle segment (between the two . characters). The payload contains standard claims such as sub, scope, iat, and exp. Do not rely on the token payload structure in your integration logic — use the API responses instead.
Token Renewal
Client Credentials tokens cannot be refreshed — there is no refresh_token. When an access token expires (after the duration indicated by expires_in), request a new one from the token endpoint exactly as in Step 1. Request a new token when the current one expires, or shortly before, rather than requesting one per API call.
Error Reference
Errors from the token endpoint follow OAuth 2.0 standard error codes.
Gotcha — OAuth error envelope
400and401responses from OAuth endpoints follow RFC 6749 §5.2:{'{'} "error": "invalid_grant", "error_description": "..." {'}'}.They do not use the Vibe error envelope. Parse both shapes in code that handles OAuth and the rest of the Vibe API.
| Error | Description |
|---|---|
invalid_client | Client authentication failed. Check your client_id and client_secret. |
invalid_request | A required parameter is missing or malformed. |
invalid_scope | One or more of the requested scopes are invalid or not permitted for your client. |
unsupported_grant_type | The requested grant type is not supported. |
Error responses from the token endpoint are JSON:
{
"error": "invalid_client",
"error_description": "Client authentication failed."
}Updated 5 days ago