Authentication
Last updated: 2026-06-01
Every API call must be authenticated. Drömlik uses OAuth 2.0 client credentials: exchange a long-lived API key + secret for a short-lived access token, then include the token in the Authorization header of subsequent requests.
1. Issue an API key
- 1
Open Integrations → API
Sign in to the Drömlik admin console as an administrator and open Integrations → API.
- 2
Click Add API Key
Name it after the application (e.g. "Salesforce connector"). Choose the scopes the application needs — grant only what's strictly required.
- 3
Copy the key and secret
The secret is only shown once. Store it in your secret manager. If you lose it, regenerate the key.
2. Exchange for an access token
POST https://<tenant>.dromlik.com/openapi/v1.0/get_token
Content-Type: application/json
{
"username": "<api_key>",
"password": "<api_secret>"
}Response:
{
"errcode": 0,
"access_token": "eyJhbGc...",
"access_token_expire_time": 1800,
"refresh_token": "rt_...",
"refresh_token_expire_time": 86400
}3. Call the API
GET /openapi/v1.0/extension/list
Authorization: Bearer <access_token>4. Refresh before expiry
Access tokens live for 30 minutes; refresh tokens for 24 hours. Refresh proactively:
POST /openapi/v1.0/refresh_token
{
"refresh_token": "rt_..."
}Common errors
| errcode | Meaning | Fix |
|---|---|---|
| 10001 | Invalid key/secret | Re-check copy/paste; regenerate if needed. |
| 10002 | Token expired | Call /refresh_token. |
| 10003 | Insufficient scope | Edit the API key and grant the missing scope. |
| 10004 | IP not allowed | Add the caller IP to the key's allowlist. |