Generate an admin access token

Some WLL API endpoints require elevated privileges and must be accessed using an admin access token. These endpoints are clearly labeled in our API reference with a red banner, listing the authorization scopes needed to access them.

These tokens are short-lived and are generated using the OAuth2 client credentials grant.

This article shows you how to generate an admin token using your client ID and secret.

Prerequisites

Before generating a token, you must have:

• A valid client ID and client secret

• Access to the correct audience (e.g. staging or production)

If you don’t have credentials yet, see Request API credentials.

Generating your admin access token

1. Request an admin access token using your client credentials via the OAuth2 token endpoint.

2. Pass the returned token as a Bearer token in the Authorization header of your requests to the WLL API.

This is the standard client credentials grant flow, suitable for server-side scripts, integrations, and admin automation.

Token Endpoint

The correct endpoint to request a token from depends on which region your tenant exists in.

• Default (EU) endpoint: https://auth.wlloyalty.net/oauth/token

• US endpoint: https://auth.us.wlloyalty.net/oauth/token

Request format

Send a JSON payload containing your client credentials and the target environment.

In the following examples, replace $YOUR_SECRET and $YOUR_ID with your client secret and client ID, respectively. The audience parameter in the request body specifies which environment the token should access. Your credentials are typically configured to allow access to only one specific environment.

Request a token valid for any environment

curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"wlloyalty.net",
  "grant_type":"client_credentials"
  }'

const request = require('request');

request(
 {
   method: 'POST',
   url: 'https://auth.wlloyalty.net/oauth/token',
   headers: { 'content-type': 'application/json' },
   body: JSON.stringify({
     client_id: '$YOUR_ID',
     client_secret: '$YOUR_SECRET',
     audience: 'wlloyalty.net',
     grant_type: 'client_credentials'
   }),
 },
 (error, response, body) => {
   if (error) throw new Error(error);
   console.log(body);
 }
);

Request a token valid for staging only

These requests are identical except for the audience parameter in which we specify staging.wlloyalty.net.

curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"staging.wlloyalty.net",
  "grant_type":"client_credentials"
  }'

Request a token valid for production only

These requests are identical except for the audience parameter in which we specify production.wlloyalty.net.

curl --request POST \
  --url https://auth.wlloyalty.net/oauth/token \
  --header 'content-type: application/json' \
  --data '{
  "client_id":"$YOUR_ID",
  "client_secret":"$YOUR_SECRET",
  "audience":"production.wlloyalty.net",
  "grant_type":"client_credentials"
  }'

Token lifetime

Admin tokens are valid for 24 hours (86,400 seconds) from the time they’re issued.