Skip to content
API reference
/
Authentication
/
/
Get API users for a TMC

Auth API (v2)

Download OpenAPI description
AuthApi.json
AuthApi.yaml
Languages
Servers
Sandbox URL
https://api-ext-sboxmeta.partners.spotnana.com
Spotnana mock server
https://developer.spotnana.com/_mock/openapi/authapi

Authentication

Authentication APIs for user login, logout, and token management

Operations

API User

Operations

Create a new API user

Request

Creates a new API user (also known as a machine user) that your application can use to authenticate with Spotnana APIs. Each API user is scoped to a specific TMC and role, giving you control over what level of access the credentials grant.

Use this endpoint to:

  • Generate a dedicated clientId and clientSecret pair that your backend services can use to obtain access tokens.
  • Assign either a TMC admin or a company admin role to scope what the API user can do across your organization.

Next steps:

  • Use the clientId and clientSecret in the POST /v2/auth/oauth2-token endpoint to obtain an access token.

Notes:

  • Store the clientSecret securely. It is only returned once at creation and cannot be retrieved later.
  • You can create up to 5 API users per TMC. To increase this limit, contact your Spotnana representative.
  • Only a TMC admin can use this endpoint to create API users.
Bodyapplication/jsonrequired
tmcIdstring

Tmc id

Example: "ecc5b835-8001-430c-98f8-fedeccebe4cf"
orgIdstring

Org id

Example: "ecc5b835-8001-430c-98f8-fedeccebe4cf"
rolestring(ApiUserRoleEnum)

Roles supported for api user creation

Enum"TMC_ADMIN""COMPANY_ADMIN"
curl -i -X POST \
  https://api-ext-sboxmeta.partners.spotnana.com/v2/api-users \
  -H 'Content-Type: application/json' \
  -d '{
    "tmcId": "ecc5b835-8001-430c-98f8-fedeccebe4cf",
    "orgId": "ecc5b835-8001-430c-98f8-fedeccebe4cf",
    "role": "TMC_ADMIN"
  }'

Responses

User created successfully

Bodyapplication/json
clientIdstring

Api user client id

Example: "1ddj3hs95to28iag7m4hl9lv2"
clientSecretstring

Api user client secret

Example: "1hgea74sii6os6vlkk1c7krlfgniaphbn2c56pml"
Response
application/json
{
  "clientId": "1ddj3hs95to28iag7m4hl9lv2",
  "clientSecret": "1hgea74sii6os6vlkk1c7krlfgniaphbn2c56pml"
}

Get API users for a TMC

Request

Retrieves the list of all active API users associated with the caller's TMC.

Use this endpoint to:

  • Audit existing API users and their clientIds under a TMC.
  • Look up the clientId for a specific API user before rotating its client secret or revoking access.

Notes:

  • This endpoint supports pagination using limit and offset query parameters.
  • The response includes only the clientId for each user. The clientSecret is never returned.
  • Returns only the API users belonging to the caller's contracting TMC.
  • Only a TMC admin can use this endpoint.
Query
limitinteger[ 0 .. 100 ]

Number of results to return

Default 100
offsetinteger>= 0

Offset for pagination

Default 0
curl -i -X GET \
  'https://api-ext-sboxmeta.partners.spotnana.com/v2/api-users?limit=100&offset=0'

Responses

OK

Bodyapplication/json
apiUsersArray of objects(ApiUsersInfo)

List of api users

Response
application/json
{
  "apiUsers": [
    {}
  ]
}

Delete an API user

Request

Permanently deletes an API user and revokes its access to the Spotnana platform. This immediately invalidates all existing access tokens and removes the API user's ability to authenticate.

Use this endpoint to:

  • Revoke access for an API user that is no longer needed.
  • Decommission an integration or clean up unused API users.
  • Free up a slot in your TMC's API user quota (default up to 5 API users per TMC).

Best practice:

Before revoking, ensure no active integrations are using this clientId. Be sure to:

  1. create a new API user first
  2. update your integrations to use the new credentials
  3. verify they work
  4. and then revoke the old API user.

Notes:

  • This action is permanent and cannot be undone. The clientId and clientSecret are permanently invalidated.
  • All active tokens for this API user are invalidated immediately. Any in-flight API requests using those tokens will fail.
  • The API user being revoked must belong to the same TMC as the caller.
  • Only a TMC admin can use this endpoint.
Bodyapplication/jsonrequired
clientIdstring

Api user client id

curl -i -X POST \
  https://api-ext-sboxmeta.partners.spotnana.com/v2/api-users/revoke \
  -H 'Content-Type: application/json' \
  -d '{
    "clientId": "string"
  }'

Responses

No Content

Response
No content

Rotate client secret for an API user

Request

Generates a new clientSecret for an existing API user. The old clientSecret is immediately invalidated and all existing access tokens for the API user will be expired.

Use this endpoint to:

  • Rotate credentials as part of a regular security hygiene practice.
  • Replace a clientSecret without deleting the API user.
  • Generate a new clientSecret if the old secret was lost or not stored.

Best practice:

  • Update your integrations with the new clientSecret immediately after rotation. Any authentication requests using the old secret will fail.

Notes:

  • The new clientSecret is only returned once in the response and cannot be retrieved later. Store it securely.
  • The clientId remains the same.
  • The old clientSecret stops working immediately. Any integration using it will need to re-authenticate with the new secret.
  • All existing access tokens created using the old clientSecret are immediately invalidated.
  • Only a TMC admin can use this endpoint.
Bodyapplication/jsonrequired
clientIdstring

Api user client id

curl -i -X POST \
  https://api-ext-sboxmeta.partners.spotnana.com/v2/api-users/rotate \
  -H 'Content-Type: application/json' \
  -d '{
    "clientId": "string"
  }'

Responses

Client secret generated successfully

Bodyapplication/json
clientIdstring

Api user client id

Example: "1ddj3hs95to28iag7m4hl9lv2"
clientSecretstring

Api user client secret

Example: "1hgea74sii6os6vlkk1c7krlfgniaphbn2c56pml"
Response
application/json
{
  "clientId": "1ddj3hs95to28iag7m4hl9lv2",
  "clientSecret": "1hgea74sii6os6vlkk1c7krlfgniaphbn2c56pml"
}
Copyright © 2025 Spotnana Technology, Inc.