# Administrator API access

Admin API access allows you to authenticate as an administrator and perform privileged operations in the WLL platform — such as adjusting user points, managing rewards, or retrieving reports.

To use admin access, you must include both your API key and a valid **admin access token** in each request.

***

## When to use admin access

Admin access is required for any operation that falls outside a single end user’s scope or requires elevated permissions.

Common use cases include:

* Adjusting a user’s points balance
* Managing rewards or incentives
* Viewing user activity across the program
* Performing reporting or data export operations
* Running scripts or automation via back-end services

***

## Authentication method

Include both of the following headers in your request:

```
X-Api-Key: your-tenant-api-key
Authorization: Bearer admin-access-token
```

{% hint style="info" %}
Your API key can be found in the **Loyalty Console > Settings > Tenant** screen.
{% endhint %}

***

## Generating admin access tokens

You must first request your **client credentials** (client ID and secret) using the instructions in [Request API credentials](/developer/guides/api-authentication/request-api-credentials.md). These are then used to generate short-lived OAuth2 tokens via the client credentials grant flow.

For step-by-step instructions, see [Generate an admin access token](/developer/guides/api-authentication/generate-an-admin-access-token.md).

{% hint style="info" %}
Tokens are scoped to specific environments (e.g. staging or production) and only valid for operations your client credentials are authorized to perform.
{% endhint %}

{% hint style="danger" %}

#### Don't generate a new token for every API call

Admin access tokens are **valid for 24 hours**. You should generate a token once, **cache it securely**, and reuse it for all admin API requests during that window.

Requesting a new token for every call is unnecessary and inefficient — it creates unnecessary load and may result in throttling or extra usage costs.
{% endhint %}

***

## Admin authentication flows

Admin authentication in WLL is based on OAuth2 tokens generated by WLL’s own identity and access management service. There are two supported ways to obtain an admin access token:

### 1. Non-interactive (server-to-server)

Use this for scripts, back-end services, or integrations.

* Based on [OAuth2 client credentials grant](https://tools.ietf.org/html/rfc6749#section-4.4)
* Token is requested programmatically using client ID and secret
* Most common method for WLL integrations
* If you operate a multi-tenant scheme, the credentials can also be granted access to multiple tenants

See [Generate an admin access token](/developer/guides/api-authentication/generate-an-admin-access-token.md) for the full request structure.

{% @mermaid/diagram content="sequenceDiagram
participant S as Service
participant IAM as WLL Auth
participant API as WLL API
autonumber
S->>IAM: Authenticate with client credentials
IAM->>S: Return access token
S->>API: Make request to API
API->>S: API Response" %}

### 2. Interactive (Loyalty Console login)

Used when a staff member logs into the Loyalty Console and performs actions manually.

* Staff log in using their WLL account (email + password or SSO)
* A short-lived admin token is issued for API requests made through the Console
* Optional support for TOTP and external IdPs (e.g. Azure AD, Okta, Google Workspace, PingFederate)

<figure><img src="/files/xvpY9QXXg1scsUbgSNjQ" alt=""><figcaption><p>Optional admin SSO flow</p></figcaption></figure>

***

## Permissions and scopes <a href="#authorization" id="authorization"></a>

Admin access tokens are scoped to fine-grained permissions. For example, permissions for managing **Users** include:

* `create:users`
* `read:users`
* `update:user`
* `delete:users`

Tokens only allow access to the operations your client credentials or admin role has been granted. If a request is rejected, check the permission scope and the environment the token was issued for.

<figure><img src="/files/Y3Rg013WfwarhgdwyYZz" alt=""><figcaption><p>Granting permissions to a staff member in the Loyalty Console</p></figcaption></figure>

***

## Security considerations

* Never expose client credentials or admin access tokens in front-end code
* Admin tokens should be short-lived and stored securely
* If you lose access to your credentials, [contact WLL Support](https://kbase.whitelabel-loyalty.com/product/services-and-support/wll-support/how-do-i-contact-support) immediately

***

## Next steps

* [Request API credentials](/developer/guides/api-authentication/request-api-credentials.md) – to get your client ID and secret
* [Generate an admin access token](/developer/guides/api-authentication/generate-an-admin-access-token.md) – to make your first authenticated request


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kbase.whitelabel-loyalty.com/developer/guides/api-authentication/administrator-api-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.