Nexus Authentication
How to obtain and use access tokens to consume Nexus APIs
The Nexus platform exposes a public OAuth2 token endpoint. Use your App Client credentials (client_id and client_secret) with the Client Credentials flow to obtain an access token. POST /nexus/oauth2/token does not require a Bearer token — Nexus Auth validates your App Client and returns the access token for use with Nexus APIs.
The Nexus UI generates your credentials when you create an App Client on the App Clients screen. You will receive:
| Parameter | Description |
|---|---|
| client_id | Your App Client identifier |
| client_secret | Secret generated when the App Client is created |
Send a POST request to /nexus/oauth2/token with Content-Type application/x-www-form-urlencoded and grant_type=client_credentials. Credentials can be supplied in two ways (RFC 6749 §2.3):
Preferred — Basic Authentication (curl -u shorthand):
Fallback — client_id and client_secret in the request body (when the Authorization header is not used):
A successful request returns a JSON response with the access token:
| Field | Description |
|---|---|
| access_token | The JWT token to use in API requests |
| token_type | Always "Bearer" |
| expires_in | Token lifetime in seconds |
| scope | Granted scopes (when included in the response) |
Include the access token in the Authorization header of every protected Nexus API request:
Node.js
Python
Java
Tokens are short-lived. Your application should:
- Cache the token and reuse it until it expires
- Monitor the expires_in value and request a new token before expiration
- Handle 401 responses by requesting a fresh token and retrying the request
| Status | Description | Action |
|---|---|---|
| 400 | invalid_request — wrong Content-Type or missing credentials | Use Content-Type: application/x-www-form-urlencoded and send credentials via Basic or body |
| 400 | unsupported_grant_type — missing or wrong grant_type | Set grant_type=client_credentials |
| 400 | invalid_scope — requested scope not granted to the client | Remove scope or request only scopes configured for your App Client |
| 401 | invalid_client — invalid credentials or revoked App Client | Verify client_id and client_secret |
| 501 | unsupported_grant_type — grant type not supported for your App Client | Contact Nuvy support |
- Store credentials in environment variables or a secrets manager, never in source code
- Use HTTPS for all requests (enforced by Nuvy API)
- Rotate your client_secret periodically
- Implement token caching to minimize token requests
- Never log access tokens or credentials
| Environment | Token Endpoint |
|---|---|
| QA | https://qa.api.nuvy.ai/nexus/oauth2/token |
| Production | https://prd.api.nuvy.ai/nexus/oauth2/token |
API Reference
Technical specification for the Nexus OAuth2 token endpoint
Public endpoint — no Bearer token required. Nexus Auth issues an access token via client_credentials using your App Client credentials.
Authentication
| Type | Details |
|---|---|
| Preferred | Authorization: Basic with Base64-encoded client_id:client_secret |
| Fallback | client_id and client_secret in the form body (required when Basic is not used) |
Headers
| Header | Value | Required |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Yes |
| Authorization | Basic {base64(client_id:client_secret)} | Preferred |
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
| grant_type | string | Yes | Must be client_credentials |
| client_id | string | If no Basic | Your App Client identifier |
| client_secret | string | If no Basic | Your App Client secret |
| scope | string | No | Space-separated scopes; App Client defaults apply if omitted |
Response (200 OK)
Error Responses
| Status | Meaning |
|---|---|
| 400 Bad Request | invalid_request — wrong Content-Type or missing credentials |
| 400 Bad Request | unsupported_grant_type — invalid or missing grant_type |
| 400 Bad Request | invalid_scope — scope not granted to the client |
| 401 Unauthorized | invalid_client — invalid credentials or revoked App Client |
| 501 Not Implemented | unsupported_grant_type — grant type not supported for your App Client |
curl Generator
Enter your credentials to generate a ready-to-use curl command. Copy and run it in your terminal.