# Generate an admin access token

Some WLL API endpoints require elevated privileges and must be accessed using an **admin access token**. These endpoints are clearly labeled in our [API reference](https://docs.whitelabel-loyalty.com/rewards.html#header-authorization) with a red banner, listing the authorization scopes needed to access them.

<img src="/files/QG0c7RT8oHJX5g0Ps7le" alt="" width="375">

These tokens are short-lived and are generated using the **OAuth2 client credentials grant**.

This article shows you how to generate an admin token using your client ID and secret.

***

## Prerequisites

Before generating a token, you must have:

* A valid **client ID** and **client secret**
* Access to the correct **audience** (e.g. staging or production)

If you don’t have credentials yet, see [Request API credentials](/developer/guides/api-authentication/request-api-credentials.md).

***

## Generating your admin access token

1. **Request an admin access token** using your client credentials via the OAuth2 token endpoint.
2. **Pass the returned token** as a Bearer token in the Authorization header of your requests to the WLL API.

This is the standard **client credentials grant** flow, suitable for server-side scripts, integrations, and admin automation.

{% hint style="danger" %}

#### Don't generate a new token for every API call

Admin access tokens are **valid for 24 hours**. You should generate a token once, **cache it securely**, and reuse it for all admin API requests during that window.

Requesting a new token for every call is unnecessary and inefficient — it creates unnecessary load and may result in throttling or extra usage costs.
{% endhint %}

### Token Endpoint

The correct endpoint to request a token from depends on which region your tenant exists in.

* Default (EU) endpoint: `https://auth.wlloyalty.net/oauth/token`
* US endpoint: `https://auth.us.wlloyalty.net/oauth/token`
* GCC endpoint: `https://auth.me.wlloyalty.ne`t`/oauth/token`

### Request format

Send a JSON payload containing your client credentials and the target environment.

In the following examples, replace `$YOUR_SECRET` and `$YOUR_ID` with your client secret and client ID, respectively. The audience parameter in the request body specifies which environment the token should access. Your credentials are typically configured to allow access to only one specific environment.

#### Request a token valid for any environment <a href="#h_01hgdz1txmfqnk59pg5jf10f1w" id="h_01hgdz1txmfqnk59pg5jf10f1w"></a>

<details>

<summary>cURL</summary>

```bash
curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"wlloyalty.net",
  "grant_type":"client_credentials"
  }'
```

</details>

<details>

<summary>Node.js</summary>

```javascript
const request = require('request');

request(
 {
   method: 'POST',
   url: 'https://auth.wlloyalty.net/oauth/token',
   headers: { 'content-type': 'application/json' },
   body: JSON.stringify({
     client_id: '$YOUR_ID',
     client_secret: '$YOUR_SECRET',
     audience: 'wlloyalty.net',
     grant_type: 'client_credentials'
   }),
 },
 (error, response, body) => {
   if (error) throw new Error(error);
   console.log(body);
 }
);
```

</details>

#### Request a token valid for staging only <a href="#h_01hgdz4vc4jf5wn171g46bnj6q" id="h_01hgdz4vc4jf5wn171g46bnj6q"></a>

These requests are identical except for the `audience` parameter in which we specify `staging.wlloyalty.net`.

<details>

<summary>cURL</summary>

```bash
curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"staging.wlloyalty.net",
  "grant_type":"client_credentials"
  }'
```

</details>

#### Request a token valid for production only <a href="#h_01hgdzd11g61gq58mwrk492ab9" id="h_01hgdzd11g61gq58mwrk492ab9"></a>

These requests are identical except for the `audience` parameter in which we specify `production.wlloyalty.net`.

<details>

<summary>cURL</summary>

```bash
curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"production.wlloyalty.net",
  "grant_type":"client_credentials"
  }'
```

</details>

### Token lifetime

Admin tokens are valid for **24 hours (86,400 seconds)** from the time they’re issued.

{% hint style="danger" %}

#### Don't generate a new token for every API call

Admin access tokens are **valid for 24 hours**. You should generate a token once, **cache it securely**, and reuse it for all admin API requests during that window.

Requesting a new token for every call is unnecessary and inefficient — it creates unnecessary load and may result in throttling or extra usage costs.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kbase.whitelabel-loyalty.com/developer/guides/api-authentication/generate-an-admin-access-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.