Skip to main content
This guide shows how to authenticate with the Corti API using OAuth 2.0 client credentials. The fastest way to authenticate is with an official SDK. The SDK handles the OAuth2 token exchange and refresh automatically. See SDK overview for setup and usage details. Install SDK to your project: 
npm install @corti/sdk
# or
yarn add @corti/sdk
# or
pnpm add @corti/sdk
Create a client to call API: 
import { CortiClient } from "@corti/sdk";

const client = new CortiClient({
    environment: "YOUR_ENVIRONMENT_ID",
    tenantName: "YOUR_TENANT_NAME",
    auth: {
        clientId: "YOUR_CLIENT_ID",
        clientSecret: "YOUR_CLIENT_SECRET",
    },
});
If you only need a token: 
import { CortiAuth } from "@corti/sdk";

const auth = new CortiAuth({
  environment: "YOUR_ENVIRONMENT_ID",
  tenantName: "YOUR_TENANT_NAME",
});

const token = await auth.getToken({
  clientId: "YOUR_CLIENT_ID",
  clientSecret: "YOUR_CLIENT_SECRET",
});

console.log("accessToken:", token.accessToken);
For full SDK authentication documentation including bearer tokens, PKCE, authorization code, and ROPC flows, see the JavaScript Authentication Guide or the .NET Authentication Guide.

Authenticate using manual code examples

If you prefer to handle OAuth manually without an SDK, use the examples below: 
// Replace these with your values
const CLIENT_ID = "<your client id>";
const CLIENT_SECRET = "<your client secret>";
const ENV = "<eu-or-us>";       // "eu" or "us"
const TENANT = "<your tenant>"; // for example "base"

async function getAccessToken() {
  const tokenUrl = `https://auth.${ENV}.corti.app/realms/${TENANT}/protocol/openid-connect/token`;

  const params = new URLSearchParams();
  params.append("client_id", CLIENT_ID);
  params.append("client_secret", CLIENT_SECRET);
  params.append("grant_type", "client_credentials");
  params.append("scope", "openid");

  const res = await fetch(tokenUrl, {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: params
  });

  if (!res.ok) {
    throw new Error(`Failed to get token, status ${res.status}`);
  }

  const data = await res.json();
  return data.access_token;
}

// Example usage
getAccessToken().then(token => {
  console.log("Access token:", token);
}).catch(err => {
  console.error("Error:", err);
});
Tokens expire after 300 seconds (5 minutes), refresh as needed.