search
API ReferenceProduct DocsLoyalty ConsoleGet Support

Generate an admin access token

Use your client credentials to generate a short-lived admin access token for authenticating with WLL’s admin API.

Some WLL API endpoints require elevated privileges and must be accessed using an admin access token. These endpoints are clearly labeled in our API referencearrow-up-right with a red banner, listing the authorization scopes needed to access them.

These tokens are short-lived and are generated using the OAuth2 client credentials grant.

This article shows you how to generate an admin token using your client ID and secret.

hashtag
Prerequisites

Before generating a token, you must have:

  • A valid client ID and client secret

  • Access to the correct audience (e.g. staging or production)

If you don’t have credentials yet, see Request API credentials.

hashtag
Generating your admin access token

  1. Request an admin access token using your client credentials via the OAuth2 token endpoint.

  2. Pass the returned token as a Bearer token in the Authorization header of your requests to the WLL API.

This is the standard client credentials grant flow, suitable for server-side scripts, integrations, and admin automation.

triangle-exclamation

hashtag
Don't generate a new token for every API call

Admin access tokens are valid for 24 hours. You should generate a token once, cache it securely, and reuse it for all admin API requests during that window.

Requesting a new token for every call is unnecessary and inefficient — it creates unnecessary load and may result in throttling or extra usage costs.

hashtag
Token Endpoint

The correct endpoint to request a token from depends on which region your tenant exists in.

  • Default (EU) endpoint: https://auth.wlloyalty.net/oauth/token

  • US endpoint: https://auth.us.wlloyalty.net/oauth/token

hashtag
Request format

Send a JSON payload containing your client credentials and the target environment.

In the following examples, replace $YOUR_SECRET and $YOUR_ID with your client secret and client ID, respectively. The audience parameter in the request body specifies which environment the token should access. Your credentials are typically configured to allow access to only one specific environment.

hashtag
Request a token valid for any environment

chevron-rightcURLhashtag
chevron-rightNode.jshashtag

hashtag
Request a token valid for staging only

These requests are identical except for the audience parameter in which we specify staging.wlloyalty.net.

chevron-rightcURLhashtag

hashtag
Request a token valid for production only

These requests are identical except for the audience parameter in which we specify production.wlloyalty.net.

chevron-rightcURLhashtag

hashtag
Token lifetime

Admin tokens are valid for 24 hours (86,400 seconds) from the time they’re issued.

triangle-exclamation

hashtag
Don't generate a new token for every API call

Admin access tokens are valid for 24 hours. You should generate a token once, cache it securely, and reuse it for all admin API requests during that window.

Requesting a new token for every call is unnecessary and inefficient — it creates unnecessary load and may result in throttling or extra usage costs.

PreviousRequest API credentialsNextIntegrate with POS

Last updated