InventoryPro

Contents

api

Authentication

Authentication

The API uses OAuth 2.0 client credentials. Every request (except the token endpoint itself) requires a valid bearer token in the Authorization header.

Your administrator provides a client ID and secret.

POST /Token

curl -X POST https://your-host/api/v1/Token \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1Ni...",
  "token_type": "bearer",
  "expires_in": 14399
}

The token is valid for 4 hours. Request a new token before the current one expires.

You can also authenticate using HTTP Basic (-u "CLIENT_ID:SECRET") instead of form fields.

Using the Token

Include the token in all subsequent requests:

curl https://your-host/api/v1/Item?page=1&pageSize=10 \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1Q..."

PowerShell

$tokenResponse = Invoke-RestMethod -Uri "https://your-host/api/v1/Token" `
    -Method Post `
    -Body @{
        grant_type    = "client_credentials"
        client_id     = "YOUR_CLIENT_ID"
        client_secret = "YOUR_CLIENT_SECRET"
    }
$token = $tokenResponse.access_token

# Use the token in subsequent requests
$items = Invoke-RestMethod -Uri "https://your-host/api/v1/Item?page=1&pageSize=10" `
    -Headers @{ Authorization = "Bearer $token" }

Token Lifecycle

EventBehavior
Token issuedValid for 4 hours from creation
Token expiredAPI returns 401; request a new token
Credentials rotatedExisting tokens issued with old credentials continue working until they expire
Account disabledNew tokens cannot be issued; existing tokens may continue for up to 60 seconds (cache window)

Authorization

Each set of API credentials maps to an integration user in Inventory Pro. That user belongs to a permission group, just like human users. The API enforces:

  • Action permissions — each endpoint requires a specific security permission. If the group doesn’t grant it, you get HTTP 403.
  • Warehouse scope — operations are limited to the warehouses assigned to your integration user. Attempting to read or write data in other warehouses returns 403.
  • Read-only mode — if the user is marked read-only, all POST/PUT/DELETE requests return 403.
  • Report access — the Reports endpoint respects report-level permissions from the user’s group.

Security Notes

  • Never embed credentials in client-side code or public repositories
  • Use HTTPS exclusively — credentials sent over HTTP are rejected
  • Rotate secrets periodically through your administrator
  • Each integration should use its own credentials — don’t share across systems

On this page