The MVMNT API uses OAuth 2.0 with the client credentials grant type for machine-to-machine (M2M) authentication.
Authentication follows this flow:
- You receive API credentials (client ID and secret) from MVMNT
- Exchange credentials for a Bearer access token at the token endpoint
- Include the access token in the
Authorizationheader for all API requests - Cache the token and reuse it until it expires
- Request a new token when the current one expires
┌─────────────┐ ┌─────────────┐
│ Your │ 1. Request token with │ MVMNT │
│ System │ client credentials │ OAuth │
│ │──────────────────────────────▶│ Server │
│ │ 2. Return access token │ │
│ │◀──────────────────────────────│ │
└─────────────┘ └─────────────┘
│
│ 3. Cache token
│
▼
┌─────────────┐ ┌─────────────┐
│ Cached │ 4. Use token for API │ MVMNT │
│ Token │ requests (1 hour) │ API │
│ │──────────────────────────────▶│ │
│ │ 5. Return API response │ │
│ │◀──────────────────────────────│ │
└─────────────┘ └─────────────┘
│
│ 6. Token expires
│
▼ (Repeat from step 1)Contact your MVMNT account manager to request API access. You'll receive:
- Client ID: A public identifier
- Client Secret: A confidential secret
🔒 Keep your secret secure!
- Never commit secrets to version control
- Never expose secrets in client-side code or public repositories
- Store in environment variables or a secure secret management system (e.g., AWS Secrets Manager, HashiCorp Vault)
- Rotate credentials periodically
- Monitor for unauthorized access
POST https://api.mvmnt.io/oauth2/tokenHeaders:
Content-Type: application/x-www-form-urlencodedBody Parameters:
grant_type=client_credentials
client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRETcurl -X POST https://api.mvmnt.io/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"Status: 200 OK
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI3YjNmOGQ5ZTRjMmExZjVlIiwiaWF0IjoxNzA1MzI2NjAwLCJleHAiOjE3MDUzMzAyMDAsInNjb3BlIjoibXZtbnQtYXBpIn0...",
"token_type": "Bearer",
"expires_in": 3600
}Response Fields:
| Field | Type | Description |
|---|---|---|
access_token | string | JWT Bearer token to use for API requests |
token_type | string | Always Bearer |
expires_in | integer | Token lifetime in seconds (3600 = 1 hour) |
Status: 400 Bad Request
{
"error": "invalid_client",
"error_description": "Client authentication failed"
}Common Errors:
| Error Code | Description | Solution |
|---|---|---|
invalid_client | Client ID or secret is incorrect | Verify credentials |
invalid_grant | Grant type is not client_credentials | Use grant_type=client_credentials |
unauthorized_client | Client is not authorized | Contact MVMNT support |
Include the access token in the Authorization header for all API requests:
Authorization: Bearer YOUR_ACCESS_TOKENcurl https://api.mvmnt.io/v1/orders \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."Access tokens expire after 1 hour (3600 seconds).
- Cache the token in memory and reuse it for multiple requests
- Track expiration using the
expires_invalue - Refresh proactively before expiration (e.g., refresh at 55 minutes)
- Handle 401 errors by requesting a new token and retrying