Authentication & Access
How to authenticate, obtain access tokens, manage subscription keys, and choose the correct API access model for your integration.

Overview

Dynamic Planner’s Open API uses a robust, two-layer security model combining an API subscription key with OAuth 2.0 (OpenID Connect) access tokens. Every API call requires both:

  • Subscription Key — identifies your application to Dynamic Planner’s API gateway.
  • OAuth 2.0 Access Token — authorises the request based on assigned scopes and user/application context.

OAuth flows follow standard OpenID Connect conventions and support both user-present and service-account integrations.

API Access Models

Dynamic Planner supports multiple access models through OAuth 2.0. These options allow customers to integrate in a way that aligns with their workflow, scalability requirements, and operational design.

1. Fully Automated (Service Account)

  • Ideal for continuous, high‑volume automation.
  • Runs without user presence; uses Client Credentials Flow.
  • Enables deep product embedding and large-scale operational workflows.

2. User‑Present API Access

  • API usage is tied to an actively logged-in user.
  • Well-suited to assisted workflows or UI-driven processes.
  • Uses the Hybrid Flow (Authorization Code + ID Token).
  • Mirrors normal web login workflows.

3. User‑Based Automation (Time‑Bound Delegation)

  • A user explicitly grants consent once, allowing the system to perform automated actions on their behalf for a limited period (e.g., 30 days).
  • This model enables automation while ensuring the user remains in control, as access expires unless they re‑approve it.
  • Suitable for background, scheduled, or batch processing that must run “as the user” but without them being logged in.

Choose the model that aligns best with your integration’s operational model and data flow requirements.

Requirement Recommended Model
No user involved; machine‑to‑machine automation Fully Automated (Service Account)
User is actively present and performing tasks User‑Present API Access
Background automation acting on behalf of a specific user User‑Based Automation (Time‑Bound Delegation)

Getting Started with Authentication

1. Request Access

To obtain subscription keys and OAuth credentials, submit a request through Get API Access. You will be asked to provide:

  • Company name and environments (Dev/Prod)
  • Expected use cases and required data domains (CRM, Finances, Profiling)
  • Preferred OAuth flow and approved redirect URIs

Dynamic Planner will issue:

  • API subscription key(s)
  • OAuth client registration (client ID, client secret, redirect URI)
  • Assigned scopes following least‑privilege principles

2. Configure Your OAuth Client

Authorize endpoint:
https://identity.distribution-technology.com/identity/connect/authorize

Token endpoint:
https://identity.distribution-technology.com/identity/connect/token

Supported flows: Hybrid or Client Credentials (depending on the API access model you selected).

3. Call the API

Include both the bearer token and the subscription key with every request:

HTTP 
GET https://open-api.dynamicplanner.com/crm/v1/clients
Authorization: Bearer <access_token>
Ocp-Apim-Subscription-Key: <subscription_key>
Accept: application/json

Security Layers

Subscription Key

Identifies your application at the API gateway and is required for all requests. Dynamic Planner issues two separate subscription keys — one for the Test environment and one for Production. When moving to live operation, you must update your integration to use the Production subscription key, as Test keys will not authenticate requests against the live environment.

Header 
Ocp-Apim-Subscription-Key: <subscription_key>

Keep keys secure; never expose them in client‑side applications or logs.

OAuth 2.0

Dynamic Planner uses OAuth 2.0 Bearer tokens:

Header 
Authorization: Bearer <access_token>

Scopes & Consent

Permissions are allocated based on least privilege and aligned to API domains (CRM, Finances, Profiling). Access tokens include claims representing:

  • Employee (when applicable)
  • Organisation Unit (OU)

API responses automatically respect this context. If your access needs change, request a scope review.

Token Lifetimes & Refresh

Access Tokens

Short-lived (minutes). Applications must refresh or reauthorize automatically.

Refresh Tokens

Issued for offline access when permitted; store securely.

Expiry Policy

  • Sliding lifetime: 15 days
  • Absolute expiry: 35 days

Environments & Base URLs

Both Development and Production APIs share the same root URL. You will be issued a Production Sandbox Organisation Unit (OU) for onboarding and testing, which is why a single base URL is used across environments.

URL 
https://open-api.dynamicplanner.com

Examples:

  • CRM API: /crm/v1
  • Finances API: /finances/v1

Related guides

Making Requests

How to call the API, send headers, and interpret responses.

Error Handling

Understand API errors, response codes, and error formats.