Authentication
How to authenticate your application with npayload using the SDK or direct HTTP calls
Every request to the npayload API must be authenticated. The SDK handles this automatically. If you are integrating without the SDK, this page explains how to authenticate using direct HTTP calls.
Using the SDK (recommended)
The SDK handles authentication, token management, and request signing automatically. You provide your credentials and the SDK does the rest.
import { NPayloadAuth, NPayloadClient } from '@npayload/node';
const auth = new NPayloadAuth({
clientId: process.env.NPAYLOAD_CLIENT_ID!, // oac_...
hmacSecret: process.env.NPAYLOAD_HMAC_SECRET!,
});
const npayload = new NPayloadClient({ auth });That is it. The SDK manages token exchange, automatic refresh, and request signing. You never need to handle tokens directly.
Getting your credentials
- Log in to admin.npayload.com
- Select your Organisation and App
- Navigate to Machine Credentials and register a new client
- Copy your Client ID (starts with
oac_) and HMAC Secret
Never expose your HMAC secret in client side code or public repositories. Store it in a secret vault such as AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or your platform's secret store.
Direct HTTP authentication
If you are not using the SDK, authenticate with the following steps.
Step 1: Request an access token
curl -X POST https://api.npayload.com/oauth/token \
-H "Content-Type: application/json" \
-H "DPoP: <dpop_proof_jwt>" \
-d '{
"grant_type": "client_credentials",
"client_id": "oac_your_client_id",
"client_secret": "<hmac_signature>"
}'Step 2: Use the token in API calls
curl -H "Authorization: DPoP <access_token>" \
-H "DPoP: <dpop_proof_for_this_request>" \
https://api.npayload.com/v1/channelsnpayload uses DPoP (Demonstrating Proof of Possession, RFC 9449) which binds tokens to the client that requested them. This prevents token theft and replay attacks. See the API reference for full details on constructing DPoP proofs.
Scopes
Request only the scopes your application needs.
| Scope | Allows |
|---|---|
channels:read | List and get channels |
channels:write | Create, update, delete channels |
messages:write | Publish messages |
messages:read | Read messages and streams |
subscriptions:read | List subscriptions |
subscriptions:write | Create, update, delete subscriptions |
deliveries:read | View delivery status |
dlq:read | View dead letter queue entries |
dlq:write | Replay DLQ entries |
Best practices
- Store credentials in a secret vault (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or similar). Never hardcode secrets in your source code
- Use the SDK whenever possible. It handles token rotation automatically
- Rotate your HMAC secret regularly via the dashboard
- Request only the scopes your application needs
Next steps
Was this page helpful?