Client Credentials Flow

Use the Client Credentials flow for server-to-server integrations that act on behalf of your organization without a signed-in user. This guide walks you through setup from OAuth application creation to your first API call.

Review the Getting Started guide first if you have not already covered prerequisites, network access, and the security model.

What you’ll do

Create an OAuth application — Register your app in Prevu3D and get credentials
Configure service user access — Give your app access to the data it needs
Get an access token — Authenticate and receive a token to use the API
Find your API URL — Discover your organization’s base URL (it varies by region)
Make your first call — Test the connection with a simple request

Step 1: Create your OAuth application

Log in to the Prevu3D Platform.
Go to Settings → OAuth.
Click to create a new application.
Choose Client Credentials as the OAuth flow.
Assign the permissions your application needs (this configures layer 1: OAuth scopes). Your org admin can help you decide which scopes are required.
Click the create button.
Copy and securely store your Client ID and Client Secret. You will need these for every API request.

Step 2: Configure service user access

When you create an OAuth application, a corresponding service user is automatically created in your organization. This service user represents your application when it interacts with the API, but it doesn’t have any access yet.

This step covers layers 2 and 3 of the security model: which nodes the service user can see (content access), and what it can do with them (role / permission access).

Go to Settings → Users.
Find your service user and click the edit button (it should be similarly named to the OAuth application you created).
Grant the service user content access to the nodes (organizations, divisions, sites, etc.) your use case requires.
Assign the appropriate role / permission on those nodes so the service user can perform the operations it needs (read, edit, manage, etc.).
Confirm the changes.

Step 3: Get your access token

To call the API, you first need an access token. Send a request to the token endpoint with your Client ID and Client Secret.

Endpoint: POST https://cloud-api.prevu3d.com/oauth/token

Headers:

Authorization: Basic <base64(client_id:client_secret)> — Encode your Client ID and Secret as client_id:client_secret, then Base64-encode that string
Content-Type: application/x-www-form-urlencoded

Body: grant_type=client_credentials

Example request:

POST https://cloud-api.prevu3d.com/oauth/token HTTP/1.1
Host: cloud-api.prevu3d.com
Authorization: Basic eW91ci1jbGllbnQtaWQ6eW91ci1jbGllbnQtc2VjcmV0
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

Example response:

{
  "hasError": false,
  "expiresIn": 3600,
  "accessToken": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9..."
}

Save the accessToken from the response. The token is valid for 1 hour; after that, you will need to request a new one the same way.

Step 4: Get your API base URL

Regional RealityConnect API (your organization uses one region; this guide explains how to discover the exact URL):

Call the discovery endpoint below to get the apiUrl for your organization. Do not hardcode a regional URL.

Endpoint: GET https://cloud-api.prevu3d.com/oauth/api-info

Headers: Authorization: Bearer <your_access_token>

Example response:

{
  "user": { "..." : "..." },
  "organization": {
    "id": "217ebd23-ec54-4af0-a6d6-4a441a6d1966",
    "name": "Test Organization"
  },
  "scopes": ["read:basic", "read:hierarchy"],
  "apiUrl": "https://api-ue1.prevu3d.com/realityconnect-api"
}

Use the apiUrl value as the base for all your API calls. Also note the organization.id — you’ll need it for many endpoints.

Step 5: Make your first API call

You now have everything you need: an access token and your base URL. Let’s make a simple request to retrieve your organization’s divisions:

GET {apiUrl}/v1/nodes/{organization_id}/browse
Authorization: Bearer <your_access_token>

Example with real values:

GET https://api-ue1.prevu3d.com/realityconnect-api/v1/nodes/217ebd23-ec54-4af0-a6d6-4a441a6d1966/browse HTTP/1.1
Authorization: Bearer eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9...

A successful response containing a list of divisions confirms that your integration is working correctly.

Try it with Python

Here’s a complete script that does everything above. Replace client_id and client_secret with your credentials, then run it.

import requests
import base64
import json

client_id = "your-client-id"
client_secret = "your-client-secret"
base_url = "https://cloud-api.prevu3d.com"

# Step 1: Get a token
token_response = requests.post(
    f"{base_url}/oauth/token",
    data={"grant_type": "client_credentials"},
    headers={
        "Authorization": f'Basic {base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()}',
        "Content-Type": "application/x-www-form-urlencoded",
    },
)

token_response.raise_for_status()
access_token = token_response.json()["accessToken"]

# Step 2: Get your API URL and org ID
api_info = requests.get(
    f"{base_url}/oauth/api-info",
    headers={"Authorization": f"Bearer {access_token}"},
).json()

api_url = api_info["apiUrl"]
organization_id = api_info["organization"]["id"]

# Step 3: Browse divisions
divisions = requests.get(
    f"{api_url}/v1/nodes/{organization_id}/browse",
    headers={"Authorization": f"Bearer {access_token}"},
).json()

print("Divisions:", json.dumps(divisions, indent=2))

Troubleshooting

If you see…	Try this…
401 Unauthorized when getting a token	Double-check your Client ID and Secret. Make sure you’re Base64-encoding `client_id:client_secret` correctly.
403 Forbidden when calling the API	A request must pass all three security layers. Check that (1) your OAuth application has the right scopes, (2) the service user has content access to the target node, and (3) it has a role with the required permissions on that node.

For connection, DNS, and API URL issues, see Getting Started — API URLs and network access.

What’s next?

For production use, add logic to refresh your token before it expires (after 1 hour).
Explore the API reference to see all available operations.