Skip to main content
The BillSentry API uses the OAuth2 client_credentials flow for M2M (machine-to-machine) authentication. Your system exchanges a Client ID and Client Secret for a short-lived JWT access token.

Obtain an access token

Make a POST request to the Token URL provided to you at onboarding. 
POST {your_token_url}
Authorization: Basic {base64(client_id:client_secret)}
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=billreview%3Awrite

Token response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3a...",
  "token_type": "Bearer",
  "expires_in": 3600
}
Always request the scope billreview:write. Tokens without this scope will be rejected by the API gateway.
Tokens are valid for approximately 1 hour. See Token Lifecycle for production-ready caching and refresh patterns.

Compression requirement

All request bodies must be gzip-compressed. The API gateway forwards the raw request body and its Content-Encoding header directly to the processing engine without modification — uncompressed requests will be rejected. Send these two headers on every API call: 
Content-Type: application/json
Content-Encoding: gzip
The body must be the gzip-compressed bytes of a valid JSON object. Content-Type remains application/json regardless of compression — it describes the underlying data format, not the encoding.
Maximum body size: 10 MB measured against the compressed bytes received by the gateway.