Documentation Index

Fetch the complete documentation index at: https://academy.insiderone.com/llms.txt

Use this file to discover all available pages before exploring further.

Generate OAuth 2.0 Credentials for SMS

Prev Next

Before calling the SMS APIs, create an OAuth 2.0 credential for your InOne account.

An OAuth credential consists of a Client ID and Client Secret that identify your application and authorize access to the selected SMS API scopes.

To create an OAuth 2.0 credential:

  1. Navigate to InOne > your username> Settings > InOne Settings > Integration Settings.  

  2. Scroll to the OAuth 2.0 Credentials section and select Generate OAuth 2.0 Credential.  

  3. Enter a name for the credential and specify the token duration.

  4. Select the required API scopes:        

    • sms-transactional

    • sms-analytics

  5. Select Continue.

  6. Enter the IP addresses authorized to use the credential.

  7. Select Authorize and Generate.

  8. Copy and securely store the Client ID and Client Secret. The Client Secret is displayed only once and cannot be viewed again after the dialog is closed.

You can manage or revoke OAuth credentials at any time from the Integration Settings page on InOne.

Generate a Gateway Access Token

All SMS API requests must include a Bearer access token. Access tokens are issued by the Insider Gateway and remain valid for the duration configured when the OAuth credential is created.

Endpoint and Headers

POST  https://gw.useinsider.com/auth/token

Visit our Postman collection to test this request.

Headers

Header

Sample Value

Description

Content-Type

application/json

Specifies that the request body is sent in JSON format.

Body Parameters

The token endpoint uses snake_case field names, such as client_id and client_secret. SMS API request bodies use camelCase field names, such as to, content, and uniqueArgs.

Parameter

Description

Data Type

Required

client_id

The OAuth 2.0 Client ID generated from Integration Settings.

String

Yes

client_secret

The OAuth 2.0 Client Secret generated from Integration Settings. Treat this value as confidential.

String

Yes

scopes

A subset of the scopes assigned to the credential. Include the scope required for the API you intend to call (for example, sms-transactional or sms-analytics).

Array[String]

Yes

Sample Request

curl --location 'https://gw.useinsider.com/auth/token' \
  --header 'Content-Type: application/json' \
  --data '{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",
    "scopes": ["sms-transactional", "sms-analytics"]
  }'

Sample Responses

200 OK

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in_sec": 3600
}

The expires_in_sec value indicates the token lifetime in seconds. Cache and reuse the token until it is close to expiration, then request a new one.

400 Bad Request

Missing or invalid request parameters.

{
  "message": "invalid request"
}

401 Unauthorized

Invalid credentials, unauthorized scope, or the request originates from an IP address not on the allowlist.

{
  "message": "invalid client or secret"
}

HTTP Status

Response Body

Description

401 Unauthorized

{ "message": "unauthorized" }

The Bearer token is missing, expired, malformed, or has an invalid signature. Generate a new access token and retry the request.

403 Forbidden

{ "message": "forbidden" }

The access token is valid, but it does not include the scope required to access the endpoint.

429 Too Many Requests

Retry-After header returned

The rate limit or burst limit for the client and scope has been exceeded. Wait for the duration specified in the “Retry-After” header before retrying the request.

Token handling best practices

  • Generate access tokens on the server side only. Do not expose the Client ID or Client Secret in browser-based or mobile applications.

  • Cache and reuse access tokens until they are close to expiration. Avoid requesting a new token for every API call. A common approach is to refresh the token shortly before the expires_in_sec value is reached.

  • Store the Client Secret securely and treat it as confidential. If the secret is exposed or ownership changes, generate a new credential from Integration Settings.

  • Use the IP allowlist configured on the OAuth credential to restrict where access tokens can be generated from.

FAQ

Q: Can I use the same OAuth credentials for both SMS Analytics and SMS Transactional APIs?
A: Yes. When creating the OAuth credential, select both sms-analytics and sms-transactional scopes. You can then request an access token that includes one or both scopes, depending on your use case.

Q: Do access tokens refresh automatically?
A: No. OAuth access tokens do not support automatic refresh. Cache the access token in your application and request a new one before it expires.

Q: What should I do if I receive a 401 Unauthorized response?
A: Verify that:

  • The access token is included in the Authorization header.

  • The token has not expired.

  • The client_id and client_secret are valid.

  • The request originates from an IP address included in the credential allowlist.

Q: What should I do if I receive a 403 Forbidden response?
A: A 403 response indicates that the access token is valid, but it does not include the scope required by the endpoint. Ensure that the required scope is assigned to the OAuth credential and included when requesting the access token.

Q: Can I continue using API-key authentication?
A: Yes. Existing API-key authentication continues to be supported. You can migrate to OAuth 2.0 at your own pace and use both authentication methods during the transition period.