Skip to main content
LinkXG supports two authentication methods: OAuth 2.0 for machine-to-machine integrations, and JWT tokens for user-context operations. This guide covers both.

Authentication methods

MethodUse caseToken lifetime
OAuth 2.0 Client CredentialsServer-to-server integrations, automated systems15 minutes
JWT Bearer TokenUser-initiated actions, interactive applications15 minutes (access), 7 days (refresh)
For most integrations, OAuth 2.0 is the recommended approach.
OAuth 2.0 Client Credentials flow is designed for machine-to-machine communication where no user interaction is required.

Step 1: Create an OAuth client

OAuth clients are created in the LinkXG application by an Owner or Admin.
  1. Go to Account > API Access
  2. Select Create OAuth Client
  3. Provide a name for the client (e.g., “ERP Integration”)
  4. Select the scopes you need
  5. Save the client
You will receive a client_id and client_secret. Store the secret securely — it is shown only once.

Step 2: Request an access token

Exchange your credentials for an access token: 
curl -X POST https://api.linkxg.com/api/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=products:read connections:read"
Response: 
{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 900,
  "scope": "products:read connections:read"
}
The token expires in 900 seconds (15 minutes). Request a new token before it expires.

Step 3: Use the token

Include the token in the Authorization header of all API requests: 
curl https://api.linkxg.com/api/v1/products \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Available scopes

ScopeDescription
products:readRead products and product versions
products:writeCreate, update, and delete products
connections:readRead connections and shared data
connections:writeManage connections
imports:writeBulk import operations
traceability:readRead traceability and supply chain data
dpp:readRead Digital Product Passports
Request only the scopes you need. Tokens with broader scopes carry greater risk if compromised.

Rotating client secrets

If your client secret is compromised, rotate it immediately: 
curl -X POST https://api.linkxg.com/api/v1/oauth/clients/YOUR_CLIENT_ID/rotate \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
This invalidates the old secret and returns a new one. Update your integration before the old secret stops working.

JWT authentication (user context)

JWT authentication is used when actions need to be performed in the context of a specific user, typically for interactive applications.

Login

curl -X POST https://api.linkxg.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your_password"
  }'
Response: 
{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIs...",
    "refreshToken": "dGhpcyBpcyBhIHJlZnJl...",
    "user": {
      "id": "uuid",
      "email": "[email protected]",
      "role": "ADMIN"
    }
  }
}

Using the token

Include the access token in requests: 
curl https://api.linkxg.com/api/v1/products \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Refreshing tokens

Access tokens expire after 15 minutes. Use the refresh token to obtain a new access token: 
curl -X POST https://api.linkxg.com/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "YOUR_REFRESH_TOKEN"
  }'
Refresh tokens are rotated on each use — you receive a new refresh token with each refresh request. The old refresh token is invalidated.

Logout

Invalidate your session: 
curl -X POST https://api.linkxg.com/api/v1/auth/logout \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Token handling best practices

Store tokens securely. Never store tokens in client-side code, localStorage, or version control. Use secure server-side storage or environment variables. Refresh proactively. Request a new token before the current one expires. A token that expires mid-request will fail. Handle 401 errors gracefully. If you receive a 401 Unauthorized response, your token may have expired. Refresh it and retry the request. Use the minimum necessary scope. Tokens with broader scopes carry greater risk. Request only what you need. Rotate secrets regularly. Even without a suspected compromise, rotating client secrets periodically reduces risk.

Error responses

Authentication errors return standard HTTP status codes:
StatusErrorDescription
400invalid_requestMalformed request (missing fields, invalid format)
401invalid_clientClient credentials are incorrect
401invalid_tokenToken is expired, malformed, or revoked
403insufficient_scopeToken does not have the required scope
429rate_limit_exceededToo many authentication requests
Example error response: 
{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}

Next steps

API Reference

Browse the complete API documentation

Rate limits

Understand usage limits and quotas