Create an API Client for viewing content

• Home
• Guides

Last published: 2026-01-20

This guide outlines the steps for creating a client bearer token. Client bearer tokens are designed for distributing restricted-access tokens to clients in insecure environments, such as browsers or native apps, where the token might be exposed. Therefore, these tokens should only grant permissions for content consumption and should not have access to content or experience management functionality.

Concepts covered in this guide

• API Client used to create a client for access on insecure environments.
• API Client Bearer Token used to create a bearer token for the client.
• Permission Role to create a permission role we will grant read access to.

1. Creating a API Client

Note: This process creates a new API client intended for 'insecure' environments. It will only grant access to the read/view rendered content endpoint and will not have access to the management native API.

The first step is to create a new API client using your existing API client bearer token. One is always created for your account when you set up API access. You can create as many clients as you need; for example, to allow multiple developers to use separate clients or restrict a third-party integration. The process would be similar to below.

curl -X POST -H "Authorization: Bearer $TOKEN" https://api.baack.co/n/v1/apiclient/ --data '{"owner":{"urn":"6f97bac3-26fe-4333-91f0-f12af2d1d167"},"scope":"api.baack.co","clientID":"Android"}'

{
  "Urn":"00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8",
  "scope":"api.baack.co",
  “owner":{
    "Urn":"6f97bac3-26fe-4333-91f0-f12af2d1d167",
    "url":"/n/v1/company/6f97bac3-26fe-4333-91f0-f12af2d1d167"},
  "clientID":"Android"
}

Here we have created a new API Client for Android app access. The name (clientID) can be used to distinguish between different clients, but for the token to have access to Baack APIs, the scope must be set to api.baack.co.

2. Create a bearer token for the newly created client

To enable the API client to access the APIs, a bearer token must be created for it. This is done using the CREATE/POST method and passing a reference to the client that was previously created.

curl -X POST -H "Authorization: Bearer $TOKEN" https://api.baack.co/n/v1/apiclientbearertoken/ --
data
'{"apiClient":{"urn":"00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8"}}'

{
  "Urn":"4a2e4abe-fd83-4f29-9fd0-57009474a7c9",
  "apiClient":{
    "Urn":"00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8"},
  "bearerToken":"47mOvO…"
}

Note that while we did pass in the scope of the API Client, no token was passed in but one is returned (truncated here). Make a note of the token because the token is only returned on creation.

You can also create multiple tokens for the same client with expiration fields to set their lifecycle. It is recommended to expire tokens. Tokens that are proven to have been compromised may also be revoked with a given notice period.3. Confirming the Bearer Token's Details

Here we simply check that the created bearer token exists. Note that we didn’t set the expiration.

3. Confirm the Bearer Token expiration

Here we simply check that the created bearer token exists. Note that we didn’t set the expiration. See the Bearer Token object reference for field details.

curl -X GET -H "Authorization: Bearer $TOKEN" https://api.baack.co/n/v1/apiclientbearertoken/4a2e
4abe-fd83-4f29-9fd0-57009474a7c9 
{
 "urn": "4a2e4abe-fd83-4f29-9fd0-57009474a7c9",
 "apiClient": {
   "urn": "00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8"
 },
 "bearerToken": "47mOvO..."
}

Conversely, if we attempt to access even the API client endpoint with its own bearer token on the management API, no access is possible without permission grants.

curl -X GET -H "Authorization: Bearer 47mOv…" https://api.baack.co/n/v1/apiclientbearertoken/4a2e4abe-fd83-4f29-9fd0-57009474a7c9

{
 "httpCode": 404,
 "apiCode": "NOT_FOUND"
}

4. Assign the new API Client to a Permission Role for read only / view access

In the final step, we associate the new API Client with a permission role to grant read-only access to the content consumption view API. Refer to the guides on managing permissions and roles for details on granting the necessary read permissions.

curl -X PUT -H "Authorization: Bearer $TOKEN" https://api.baack.co/n/v1/permissionrole/4adb9f61-6f01-42d0-9cab-b5fdfb4f87fb --data 
‘{"urn":"4adb9f61-6f01-42d0-9cab-b5fdfb4f87fb","name":"Content Viewer","owner":{"urn":"6f97bac3-26fe-4333-91f0-f12af2d1d167","url":"/n/v1/company/6f97bac3-26fe-4333-91f0-f12af2d1d167"},"identities":[],"clients":[{"urn":"00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8"}]}'

{
  "urn":"4adb9f61-6f01-42d0-9cab-b5fdfb4f87fb",
  "name":"Content Viewer",
  "owner":{
    "urn":"6f97bac3-26fe-4333-91f0-f12af2d1d167",
    "url":"/n/v1/company/6f97bac3-26fe-4333-91f0-f12af2d1d167"},
  "identities":[],
  "clients":[{"urn":"00a3ca73-2aa1-41e6-8d5d-4d586a6f8af8"}]}

That’s it! API client endpoints support all of the usual operations. See the API Client documentation for more information.