The Client Credentials Grant is the standard OAuth 2.0 flow for server-to-server API requests (RFC 6749 §4.4). This flow allows your server to authenticate directly with our API using your client credentials, without any user interaction. Here’s how it works:
Keep your client_secret secure and never expose it in client-side code. An API key provides full access to all the data in a project. Don’t hardcode it in code repositories and don’t share it with others.
1

Get your credentials

Contact support@nomos.energy to obtain your client_id and client_secret.
2

Exchange for tokens

Exchange your client credentials for access and refresh tokens by making a request from your backend server. The client_id and client_secret must be sent in the Authorization header as Basic authentication credentials:
curl -X POST https://api.nomos.energy/oauth/token \
  -H "Authorization: Basic $(echo -n '${CLIENT_ID}:${CLIENT_SECRET}' | base64)" \
  -d grant_type=client_credentials
The response will include an access token (valid for 60 minutes) and a refresh token:
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "1B4a2e77838347a7E420ce178F2E7c6912E169246c"
}
3

Make authenticated requests

Include the access token in the Authorization header of your API requests:
curl -X GET https://api.nomos.energy/subscriptions \
  -H "Authorization: Bearer ${ACCESS_TOKEN}"
4

Refresh expired tokens

When the access token expires, use the refresh token to obtain a new one:
curl -X POST https://api.nomos.energy/oauth/token \
  -H "Authorization: Basic $(echo -n '${CLIENT_ID}:${CLIENT_SECRET}' | base64)" \
  -d grant_type=refresh_token \
  -d refresh_token=${REFRESH_TOKEN}