Platform Platform overview Modules Solutions Industries Commodities Roles Quant More Pricing Customers Knowledge Center Blog Company Request Demo
Knowledge Center · API

Authentication

Secure access with short-lived, signed tokens, an OAuth-style handshake, scoped to least privilege and governed by the same permission model as the UI.

9 min read · Back to API Reference · Data dictionary

The handshake

Applications authenticate by exchanging client credentials for a short-lived, signed access token, then presenting that token as a bearer token on every API call. The credentials never travel on individual requests; only the short-lived token does.

Governed coreRESTGraphQLWebhooksStreamingOwn UIERP / SAPAnalyticsAutomation
Every capability is exposed as REST, GraphQL, webhook, and streaming interfaces over one governed core. The product’s own UI is just another consumer of the same APIs, which is what proves they are complete.
httpPOST /v1/oauth/token HTTP/1.1
Host: api.gravitasetrm.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=svc-risk-etl
&client_secret=***
&scope=positions:read valuations:read
jsonHTTP/1.1 200 OK
Content-Type: application/json

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "token_type": "Bearer",
  "expires_in": 900,
  "scope": "positions:read valuations:read"
}

Using the token

Present the token in the Authorization header on every call. When it expires (typically minutes, not hours) request a new one. An SDK does this refresh for you automatically.

pythonimport time, requests

class TokenProvider:
    def __init__(self, client_id, secret):
        self.client_id, self.secret = client_id, secret
        self._token, self._exp = None, 0

    def bearer(self):
        if time.time() > self._exp - 30:          # refresh before expiry
            r = requests.post("https://api.gravitasetrm.com/v1/oauth/token", data={
                "grant_type": "client_credentials",
                "client_id": self.client_id, "client_secret": self.secret,
                "scope": "positions:read valuations:read"})
            body = r.json()
            self._token = body["access_token"]
            self._exp = time.time() + body["expires_in"]
        return self._token

Tokens and scopes

Tokens are scoped to least privilege, an integration receives only the access it needs. Because tokens are short-lived and signed, a leaked token has a limited blast radius and a short lifetime.

Scope. a named permission such as positions:read or trades:write. A token carries only the scopes granted to its client, and the API rejects any call outside them, so a read-only ETL credential can never book a trade even if compromised.

Authorization

Beyond authentication (who you are), authorization (what you may do) is enforced by the same role and permission model used in administration, so API access respects the same governance as the UI. There is no privileged API back door; a service account is subject to the same rules as a human user with the same role.

Verify the token signature and expiry on every request; never trust an unsigned or expired token. The signature is what proves the token was issued by Gravitas and not forged.

Related

See this on your own trades

A live walkthrough is the fastest way to connect this to your desk.

Request a demo Back to API Reference