Makini
v4 (Latest)
  • v4 (Latest)
  • v3 (Legacy)
User Guide
API Reference
User Guide
API Reference
Website
v4 (Latest)
  • v4 (Latest)
  • v3 (Legacy)
v4 (Latest)
  • v4 (Latest)
  • v3 (Legacy)
  1. Admin API
  • Getting Started
    • Connection Credits
    • IP Whitelisting
    • Authentication
    • Testing with API Tools
    • Account setup
  • Core Concepts
    • Connections
    • Unified Data Model
  • Admin API
    • Authentication
  1. Admin API

Admin API Authentication

The Admin API uses the OAuth 2.0 Client Credentials grant — a server-to-server flow that does not require user interaction. It is intended for backend automation, CI/CD pipelines, and programmatic management of connections and tokens across your Makini account.
When to use this vs Makini Link
Use the Admin API when your own backend needs to act on your Makini account — generating tokens, listing connections, or managing resources programmatically. Use Makini Link when your end users need to authorize their own systems.

Prerequisites#

Before making Admin API requests, retrieve your credentials from the Makini dashboard:
1.
Navigate to Settings > Application Settings.
2.
Copy your Client ID and Client Secret.
Keep your Client Secret confidential. Never expose it in client-side code, public repositories, or frontend applications.

Obtaining an Access Token#

Send a POST request to the token endpoint with your credentials:
A successful response returns an access token and a refresh token:
{
  "access_token": "eyJ0eXAiOiJKV1Qi...",
  "refresh_token": "eyJ0eXAiOiJSZWZy...",
  "token_type": "bearer",
  "expires_in": 1715674414
}
FieldDescription
access_tokenBearer token used to authenticate Admin API requests. Valid for 30 days.
refresh_tokenUsed to obtain a new token pair before expiry. Valid for 31 days.
token_typeAlways bearer.
expires_inToken expiry as a Unix timestamp.

Making Authenticated Requests#

Include the access token in the Authorization header of every Admin API request:
Requests without a valid token, or with an expired token, return 401 Unauthorized.

Refreshing a Token#

When the access token is near expiry, use the refresh token to obtain a new pair without repeating the full credentials flow:
The response contains a new access_token and refresh_token. The previous tokens are invalidated.
It is recommended to set up a scheduled job that refreshes the token at an interval shorter than 30 days to avoid service interruption.
If the refresh token has also expired, repeat the full token request using your Client ID and Client Secret.

Token Expiration Reference#

TokenLifetime
Access token30 days
Refresh token31 days

Example: Listing Connections#

With a valid access token, the following request returns all connections associated with your account:
See the Connections page for details on connection properties and statuses.

Troubleshooting#

SymptomLikely cause
401 UnauthorizedAccess token expired or malformed. Refresh or re-issue the token.
400 Bad Request on token endpointIncorrect grant_type, or malformed JSON/form body.
403 Forbiddenclient_id or client_secret is invalid. Verify credentials in Application Settings.
Refresh returns 401Refresh token has expired. Re-authenticate using client credentials.
Modified at 2026-03-26 12:54:12
Previous
Unified Data Model
Built with