We’ve got a pipeline that needs to call the Studio API to deploy scripts. The standard OAuth flow works fine for interactive use, but it’s a pain for automated runs. The tokens expire every 10 minutes.
I’m trying to generate a long-lived token for the pipeline. The docs mention using the client credentials grant. Here’s what I’m hitting:
POST /api/v2/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=studio:script
The response comes back with a 200 OK and a token. The issue is the token expires too fast. I need something that lasts for the duration of a build or at least a few hours.
I’ve checked the app settings in the admin portal. The app is set to ‘Confidential’. I’ve tried adding expires_in to the request body but that gets ignored. The token always has a short TTL.
Is there a way to extend the TTL via the API call? Or do I need to configure something on the app side? I’ve seen mentions of refresh tokens but client credentials doesn’t seem to support them.
Here’s the response payload I’m getting:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": 3600,
"token_type": "Bearer"
}
3600 seconds is an hour. That’s better than 10 minutes but still not enough for a long-running pipeline. I need something more permanent.
I’ve tried using the offline_access scope but that doesn’t work with client credentials. The docs are vague on this. They just say to use client credentials for server-to-server auth. They don’t mention how to handle long-running processes.
Any ideas? I’m stuck on this. The pipeline keeps failing because the token expires mid-deploy. I can’t add a token refresh step to every script call. That’s too much overhead.
I’ve looked at the Terraform provider but it doesn’t seem to have a way to generate long-lived tokens either. It just uses the standard OAuth flow.
Help is appreciated. I’m running out of options here. The current setup is fragile. We need a more stable solution for our CI/CD process.
I’ve attached the full request and response logs if needed. The headers are standard. Nothing special there.
Thanks.