Authentication
All Placepoint APIs use OAuth2 client credentials (RFC 6749, Section 4.4). This is the standard machine-to-machine flow: your server exchanges a client ID and secret for a short-lived access token, then uses that token for API calls.
Prerequisites
Contact support@placepoint.no to receive:
client_id— your application identifierclient_secret— your application secret (treat this like a password)
Requesting a token
Send a POST request to the /auth endpoint of the API you want to call. The request uses application/x-www-form-urlencoded encoding.
curl -X POST https://v1-customer-api.placepoint.no/auth \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=YOUR_CLIENT_ID" \
--data-urlencode "client_secret=YOUR_CLIENT_SECRET"
A successful response returns a JSON object:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
Using the token
Include the token in every API request using the Authorization header:
curl -X POST https://v1-customer-api.placepoint.no/v1/plots \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"cadastreNumbers": ["0301-1/2"]}'
Token lifetime and renewal
Tokens expire after the number of seconds indicated by expires_in (typically 3600 seconds / 1 hour). Your application should:
- Cache the token and reuse it for its full lifetime.
- Request a new token before the old one expires, or handle
401 Unauthorizedresponses by re-authenticating.
A simple approach is to subtract a small buffer (e.g. 60 seconds) from expires_in and schedule renewal at that point.
Per-API tokens
Each API has its own /auth endpoint. A token issued by the Customer API cannot be used to call the Matching API. Request a separate token per API.
| API | Token endpoint |
|---|---|
| Customer API | POST https://v1-customer-api.placepoint.no/auth |
| Matching API | POST https://matching-api.placepoint.no/auth |
| Embed Service | POST https://pc-embed-service.placepoint.no/auth |
Error responses
| HTTP status | Meaning |
|---|---|
400 Bad Request | Missing or malformed request parameters |
401 Unauthorized | Invalid credentials or expired token |
500 Internal Server Error | Server-side error; retry with exponential backoff |
All error responses include a JSON body:
{
"error": {
"code": 401,
"message": "invalid client credentials"
}
}