Table of Contents
Client API endpoints are available under /api/client-api/* and are designed for server-to-server integrations using OAuth2 client_credentials.
Access tokens for this flow must represent an INTEGRATION_AGENT. A token with INTEGRATION_AGENT is restricted to /api/client-api/* and gets 403 Forbidden on other endpoints.
- You have a tenant and a Tenant Admin account.
- You have at least one active user with role
INTEGRATION_AGENT. - OAuth server is reachable (default
https://oauth.rapidresolver.com). - Core service is reachable (default
https://api.rapidresolver.com).
- Create an app with grant type
Client Credentials (Server-to-Server). - Select an
INTEGRATION_AGENTfrom the same tenant and bind it to the client. - If no
INTEGRATION_AGENTexists, create one first under Users. - Copy generated
Client IDandClient Secret.
Token endpoint:
POST https://oauth.rapidresolver.com/api/oauth2/tokenUse either HTTP Basic client credentials or private_key_jwt with a signed client_assertion.
curl -X POST 'https://oauth.rapidresolver.com/api/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic BASE64(client_id:client_secret)' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=client_api'OR
curl -X POST 'https://oauth.rapidresolver.com/api/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=SIGNED_JWT_ASSERTION' \
--data-urlencode 'scope=client_api'The JWT payload should match the bound Integration Agent identity, not the app creator user.
{
"role": "INTEGRATION_AGENT",
"grant_type": "client_credentials",
"scope": "client_api",
"client_id": "rr_...",
"username": "api_test@rr.com",
"userId": "b7ac50f9-492b-4e00-aef0-9cad67f5ea9b",
"tenantId": "5fe03b85-54ef-4bba-8711-9f19dca91d3d"
}6. Client API Endpoints
- Get by number:
GET /api/client-api/ticket/{ticketNumber} - Get by id:
GET /api/client-api/ticket/id/{ticketId} - Search:
GET /api/client-api/ticket/search?query= - Create:
POST /api/client-api/ticket/create - Update status:
PUT /api/client-api/ticket/{ticketNumber}/status?status= - Update priority:
PUT /api/client-api/ticket/{ticketNumber}/priority?priority= - Update type:
PUT /api/client-api/ticket/{ticketNumber}/type?type= - Assign user:
POST /api/client-api/ticket/{ticketNumber}/assignee?userIdentifier= - Remove user:
DELETE /api/client-api/ticket/{ticketNumber}/assignee?userIdentifier= - Add comment:
POST /api/client-api/ticket/{ticketNumber}/comment?comment=
Create Ticket
curl -X POST 'https://api.rapidresolver.com/api/client-api/ticket/create' \
-H 'Authorization: Bearer ACCESS_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"title": "Client API test ticket",
"description": "Created via client API",
"status": "OPEN",
"priority": "MEDIUM",
"group": "Technology",
"ticketType": "INCIDENT",
"assigneeEmails": [
"emma.ford@alliterators.com",
"rachel.singh@alliterators.com"
],
"responseTimeInHours": 24,
"resolutionTimeInHours": 48,
"escalationTimeInHours": 12
}'Get Ticket by Number
curl -X GET 'https://api.rapidresolver.com/api/client-api/ticket/INC-1001' \
-H 'Authorization: Bearer ACCESS_TOKEN'rapid-resolver-base/rapid-resolver-core-service/src/test/resources/client-api.httprapid-resolver-base/rapid-resolver-core-service/src/test/resources/client-api.postman_collection.json
These files include all Client API endpoints, token request flow, and a negative test for non-client-api access.
9. Security Rules
INTEGRATION_AGENTcan call only/api/client-api/*.client_apiscope is required for client API endpoints.- Access to non-client-api endpoints (for example
/api/users) returns403.
- 401 Unauthorized: Invalid client credentials or expired token.
- 403 Forbidden on client API: Missing
client_apiscope. - 403 Forbidden on non-client endpoint: Expected for
INTEGRATION_AGENT. - No token for client_credentials: Ensure app is bound to an
INTEGRATION_AGENT.