Skip to main content

API credentials

Written by Daniel Ferguson
Updated today

To create API credentials for your company, navigate to the API section in the Company Setup page. This page is restricted to users with the auth manager role. Contact support if you cannot access it.

🔒 Important security note: API credentials are company-level, not user-level. Each set of credentials grants access to all projects the company can access.

Visibuild supports two types of API credentials:

  • OAuth client credentials – The recommended approach. Creates a client ID and client secret that you exchange for short-lived access tokens (1 hour). More secure as secrets are never sent directly with API requests.

  • Legacy bearer tokens – Long-lived tokens (1 month to 1 year) included directly in API requests. Still supported but not recommended for new integrations.

Creating OAuth credentials

  1. Click Create OAuth credentials

  2. Provide a name and select a scope (Read, or Read and write)

  3. Click Create

  4. Copy both the Client ID and Client Secret – the secret will not be shown again

Using OAuth credentials

Exchange your client ID and secret for an access token by making a POST request to the token endpoint: 

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=read

Requesting scopes

When exchanging your client credentials for an access token, include the scope parameter to specify the access level. The scope must match or be a subset of the scope selected when creating the credentials.

Scope selected in UI

scope parameter value

Read

read

Read and write

read write

curl -X POST https://app.visibuild.com.au/oauth/token \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials\ &client_id=YOUR_CLIENT_ID\
&client_secret=YOUR_CLIENT_SECRET\ &scope=read%20write"

Note: If you omit the scope parameter, the token may be issued with read-only access regardless of the credential's configured scope. Always include scope=read write (space-separated) if your integration needs to create or update resources.

Include the returned access token as a Bearer token in the Authorisation header of each API request: 

Authorization: Bearer YOUR_ACCESS_TOKEN

Access tokens expire after 1 hour. Request a new token when the current one expires.

Read more about the OAuth 2.0 Client Credentials Grant Type.

Creating a legacy bearer token

  1. Click the dropdown arrow next to Create OAuth credentials and select Create legacy token

  2. Provide a name, select a scope, and choose an expiration period

  3. Click Generate

  4. Copy your token – it will not be shown again

Using a legacy token

Include your token as a Bearer token in the Authorisation header of each API request:

Authorization: Bearer YOUR_TOKEN

Related Articles
Core API overview
Webhooks
Uploading attachments via API
Did this answer your question?