OAuth2 authentication

How to obtain and use an OAuth2 access token for the RUC REST services with the client-credentials flow.

Overview

The RUC REST services (Order, Inventory, Work Order, Facility, Item Master, Carrier Determination and Webhook) are secured with OAuth2 using the client-credentials grant. There is no user login: your system authenticates as a confidential client and receives a short-lived access token, which it then sends with each API request.

Paxon shares your client_id and client_secret during onboarding. Separate credentials are issued for the staging and production environments.

The flow

Your system POSTs its credentials to the RUC OAuth2 token endpoint, requesting the client_credentials grant.
The OAuth2 server validates the client_id and client_secret.
On success, the server responds with an access_token.
Your system calls a RUC service, passing the token as a Bearer credential in the Authorization header.
A request made without a valid Bearer token is rejected with 401 Unauthorized.

Token endpoints

Environment	Token endpoint
Production	`https://ruc-oauth.fulfilit.cloud/v1/oauth/token`
Staging	`https://ruc-oauth.stage.fulfilit.cloud/v1/oauth/token`

The RUC client-credentials clients are not scope-restricted: no scope parameter is required in the token request.

Requesting a token

POST the credentials as a JSON body to the token endpoint. Replace the placeholders with the values Paxon issued for your environment.

curl -X POST https://ruc-oauth.fulfilit.cloud/v1/oauth/token \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type": "client_credentials",
    "client_id": "<client_id>",
    "client_secret": "<client_secret>"
  }'

A successful response contains the access token and its lifetime:

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "expires_in": 3600
}

Calling a service

Send the token in the Authorization header on every request:

curl -X POST https://ruc-public-api.fulfilit.cloud/v1/inventoryService/findInventoryBySkuList \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "clientId": "<clientId>",
    "distributionCentre": "<facilityCode>",
    "products": ["acme-sku-001", "acme-sku-002"]
  }'

Cache the token and reuse it until it is close to expiry, then request a fresh one. Do not request a new token per call.

Using try-it in the reference

Getting started — the eight services and your first call.
Integration flow — how the services work together end to end.