OAuth 2.0 token exchange
8 min read Updated February 14, 2026
Overview
ComplianceGrid implements the OAuth 2.0 Client Credentials grant type (RFC 6749, Section 4.4). This flow is designed for server-to-server communication where no end-user interaction is required.
Token Endpoint
POST /oauth/token Host: sandbox.api.compliancegrid.ai (or api.compliancegrid.ai) Content-Type: application/x-www-form-urlencoded
Request Parameters
| Parameter | Required | Description |
|---|---|---|
| `grant_type` | Yes | Must be `client_credentials` |
| `client_id` | Yes | Your credential ID from the Developer Portal |
| `client_secret` | Yes | Your API key (`cg_sk_` or `cg_pk_`) |
Example Request
bash
curl -X POST https://sandbox.api.compliancegrid.ai/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=cred_abc123" \ -d "client_secret=cg_sk_your_sandbox_key_here"
Success Response (200)
json
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "api",
"environment": "sandbox"
}Error Responses
- 400
invalid_request— Missing or malformed parameters - 401
invalid_client— Wrongclient_idorclient_secret - 400
unsupported_grant_type— Onlyclient_credentialsis supported
Token Introspection
Check if a token is valid without making an API call:
bash
curl -X POST https://sandbox.api.compliancegrid.ai/oauth/introspect \ -d "token=$CG_TOKEN"
Token Revocation
Immediately invalidate a token:
bash
curl -X POST https://sandbox.api.compliancegrid.ai/oauth/revoke \ -d "token=$CG_TOKEN"
Implementation Tips
- Cache tokens in memory and reuse them until near expiration
- Request a new token when you receive a 401 response
- Set a buffer (e.g., refresh at 3500 seconds instead of waiting for 3600)
- Never share tokens between environments — sandbox tokens only work with the sandbox host
Was this article helpful?