OAuth 2.0 Client Credentials flow

Overview

The Partner API uses the OAuth 2.0 Client Credentials flow, designed for machine-to-machine communication where a client (such as a backend service) authenticates itself to access resources without a user.

Benefits of OAuth 2.0 Client Credentials

  • Credentials are never embedded in API payloads.

  • A simplified authentication model results in faster API calls.

  • Most partners can leverage existing OAuth 2.0 libraries and client implementations.

  • This flow is an opt-in and doesn’t replace the existing legacy authentication workflow.

If the Authorization header is not included in the request, the backend will fall back to Basic authentication.

Enrollment

To obtain a client ID and secret for OAuth 2.0 authentication, reach out to your account manager.

Automatic self-registration is not supported. To use OAuth 2.0 authentication scheme, partners must complete a manual enrollment process.

Authentication workflow

  • Tokens expire after 4 hours.

  • Request a new token as needed.

The OAuth 2.0 workflow consists of three main steps:

  1. Discover the token endpoint

    Use the OpenID configuration endpoint to obtain OAuth 2.0 metadata. This response can be cached for long-term use, enabling reuse without additional API requests.

    Example request:

    curl https://api.sitelock.com/.well-known/openid-configuration

    Example response:

    {
    "jwks_uri":"https://api.sitelock.com/.well-known/jwks.json",
    "grant_types_supported":[
        "authorization_code","password","client_credentials","urn:ietf:params:oauth:grant-type:token-exchange"
    ],
    "id_token_signing_alg_values_supported":["RS256","EC256","EdDSA"],
    "token_endpoint":"https://api.sitelock.com/v2/oauth2/token",
    "issuer":"https://api.sitelock.com",
    "scopes_supported":["openid","profile","email"]
     "authorization_endpoint":"https://api.sitelock.com/v2/oauth2/auth",
    "registration_endpoint":"https://api.sitelock.com/v2/oauth2/register",
    "claims_supported":["sub","iss","aud","exp","iat","client_id","nonce","name","email"],
    "token_endpoint_auth_methods_supported":[
        "client_secret_post","client_secret_basic","client_secret_jwt","private_key_jwt"
    ]
}

  2. Authenticate with the client ID and secret to request an access token from the token endpoint.

    The currently supported client authentication method is client_secret_basic.

    Example request:

    curl \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic <base64(client_id:client_secret)>' \
  -X POST \
  --data-urlencode grant_type=client_credentials \
  --data-urlencode scope=partner \
   ${token_endpoint}

    Example response:

    {
  "scope": "partner",
  "expires_in": 14400,
  "token_type": "Bearer",
  "access_token": "<access_token>"
}

  3. Make an API call with the access token.

    The <authentication> element in the XML payload will be ignored when an Authorization: Bearer header is included.

    Example request:

    curl \
  -H "Content-Type: application/xml" \
  -H "Authorization: Bearer <access_token>" \
  --data-raw "<SiteLockOnlineRequest>
    <getStatus>
      <type>live</type>
      <accountInformation>
        <id>${account_id}</id>
      </accountInformation>
    </getStatus>
  </SiteLockOnlineRequest>" \
  https://api.sitelock.com/v1/partner/getStatus

    Example response:

    <?xml version='1.0' standalone='yes'?>
<SiteLockOnlineResponse>
 <getStatus>
  <accountInformation>
    <name>First Last</name>
    <id>123456</id>
    <isTest>no</isTest>
    <status>active</status>
  </accountInformation>
  <siteInformation>
    <site>
      <alerts_email>[email protected]</alerts_email>
      <amount>180.99</amount>
      <billing_authority>partner</billing_authority>
      <compliance>Pending</compliance>
      <domain>example.com</domain>
      <frequency>1</frequency>
      <next_renewal_at>2026-01-20</next_renewal_at>
      <over_limit>0</over_limit>
      <page_limit>10000</page_limit>
      <pages_checked>0</pages_checked>
      <site_id>123</site_id>
      <site_status>active</site_status>
      <subscription>456</subscription>
      <subscription_id>789</subscription_id>
      <subscription_plan_name>SiteLock Enterprise</subscription_plan_name>
      <subscription_start_date>2025-12-20 06:09:12</subscription_start_date>
      <subscription_state>active</subscription_state>
      <subscription_type>bundle</subscription_type>
      <trusted_domain>yes</trusted_domain>
    </site>
  </siteInformation>
  <users>
    <user>
      <name>First Last</name>
      <email>[email protected]</email>
      <login>example_login</login>
      <owner>yes</owner>
    </user>
  </users>
 </getStatus>
</SiteLockOnlineResponse>