# Getting started with External APIs > This page shows you how to make your first authenticated API call to UiPath. It uses the client credentials flow with a confidential external application — the recommended starting point for production scripts, administrative automation, and integration work. This page shows you how to make your first authenticated API call to UiPath. It uses the client credentials flow with a confidential external application — the recommended starting point for production scripts, administrative automation, and integration work. :::note **Choosing the right tool** The UiPath Swagger documentation lets you explore available API endpoints and understand request and response formats interactively in a browser. Use Swagger for discovery and manual testing only. For production automation, scripting, and integration, use Postman, cURL, or your application code — these support the full OAuth 2.0 bearer token flow required to authorize requests to UiPath APIs. ::: ## Prerequisites - A UiPath organization administrator has registered a **confidential** external application with the **Client Credentials** grant type and assigned the required scopes to it. - You have the **App ID** and **App Secret** for the registered application. For information about registering external applications and choosing the right grant type, see [External Applications (OAuth)](https://docs.uipath.com/test-cloud/automation-cloud/latest/api-guide/accessing-uipath-resources-using-external-applications). ## Step 1: Get a bearer token Send a POST request to the Identity Server token endpoint to receive a bearer token. ```bash curl -X POST "https://cloud.uipath.com/{organizationName}/identity_/connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&client_id={app_id}&client_secret={app_secret}&scope={scopes}" ``` Replace the following placeholders: | Placeholder | Value | |---|---| | `{organizationName}` | Your organization name as it appears in the Test Cloud URL | | `{app_id}` | The App ID from your external application registration | | `{app_secret}` | The App Secret from your external application registration | | `{scopes}` | Space-separated list of scopes granted to the application, for example: `OR.Users.View PM.Users` | The response returns a bearer token: ```json { "access_token": "{access_token}", "expires_in": 3600, "token_type": "Bearer", "scope": "{scopes}" } ``` Copy the `access_token` value. The token is valid for one hour. :::note If you are using Postman or a similar tool, set the request content type to `application/x-www-form-urlencoded`. ::: ## Step 2: Call an API endpoint Include the bearer token in the `Authorization` header of your API request. The following example retrieves a list of machines from Orchestrator: ```bash curl -X GET "https://cloud.uipath.com/{organizationName}/{tenantName}/orchestrator_/odata/Machines" \ -H "Authorization: Bearer {access_token}" \ -H "accept: application/json" ``` Replace `{tenantName}` with the name of your tenant and `{access_token}` with the token from Step 1. ## Result A successful request returns HTTP 200 with the requested data in JSON format. If the request fails, verify the following: - The token has not expired. Tokens expire after one hour — repeat Step 1 to request a new token. - The `Authorization` header value is formatted exactly as `Bearer {access_token}`. - The scopes granted to your external application cover the requested endpoint. To find the scope values for a specific endpoint, check that endpoint's documentation page in this guide, specifically under the **Platform Management APIs** chapter. ## Next steps - For all OAuth grant types and flows — including Authorization Code and PKCE for user-delegated access — see [External Applications (OAuth)](https://docs.uipath.com/test-cloud/automation-cloud/latest/api-guide/accessing-uipath-resources-using-external-applications). - For all Identity Server endpoints used in authentication, see [UiPath Identity Server endpoints](https://docs.uipath.com/test-cloud/automation-cloud/latest/api-guide/accessing-uipath-resources-using-external-applications#uipath-identity-server-endpoints). - To understand how to structure API endpoint URLs, see [API endpoint URL structure](https://docs.uipath.com/test-cloud/automation-cloud/latest/api-guide/api-endpoint-url-structure).