Skip to main content

Overview

The Fentu FSM API uses token-based authentication. All API requests must include a valid authentication token in the request header.
Keep your API credentials secure. Never expose tokens in client-side code or public repositories.

Authentication Methods

API Key Authentication

For server-to-server integrations: 
Authorization: Bearer YOUR_API_KEY

OAuth 2.0

For user-authorized applications:
  1. Redirect user to authorization endpoint
  2. User grants permission
  3. Receive authorization code
  4. Exchange code for access token
  5. Use access token for API requests

Obtaining Credentials

API Keys

1

Navigate to Settings

Go to Administration > Integrations > API
2

Create API Key

Click “Create API Key”
3

Set Permissions

Configure what the key can access
4

Copy Key

Save the generated key securely
API keys are shown only once when created. Store them securely immediately. If lost, you must create a new key.

OAuth Credentials

For OAuth applications:
  1. Register your application
  2. Receive client ID and secret
  3. Configure redirect URIs
  4. Implement OAuth flow

Making Authenticated Requests

Request Headers

Include the authentication header in all requests: 
curl -X GET "https://api.fentu.io/v1/work-orders" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Example Request

const response = await fetch('https://api.fentu.io/v1/work-orders', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  }
});

Token Management

Token Expiration

Token TypeLifetime
API KeyNo expiration (until revoked)
Access Token1 hour
Refresh Token30 days

Refreshing Tokens

For OAuth access tokens: 
POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
refresh_token=YOUR_REFRESH_TOKEN&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET

Revoking Tokens

To invalidate a token: 
POST /oauth/revoke
Authorization: Bearer YOUR_TOKEN

Permissions & Scopes

Available Scopes

ScopeAccess
read:work-ordersView work orders
write:work-ordersCreate/update work orders
read:customersView customers
write:customersCreate/update customers
read:assetsView assets
write:assetsCreate/update assets
adminFull administrative access

Requesting Scopes

Include scopes in authorization request: 
https://api.fentu.io/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT&
  scope=read:work-orders write:work-orders&
  response_type=code

Error Handling

Authentication Errors

Error CodeMeaningResolution
401Invalid or missing tokenCheck token and try again
403Insufficient permissionsRequest needed scopes
429Rate limitedWait and retry

Error Response Format

{
  "error": "unauthorized",
  "error_description": "Invalid or expired token",
  "status": 401
}

Rate Limiting

Limits

TierRequests/Hour
Standard1,000
Professional10,000
EnterpriseUnlimited

Rate Limit Headers

Responses include rate limit information: 
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

Handling Rate Limits

When rate limited:
  1. Check X-RateLimit-Reset header
  2. Wait until reset time
  3. Retry request
  4. Consider caching responses

Security Best Practices

Store credentials in secure vaults or environment variables. Never hardcode in source code.
Always use HTTPS for API requests. Never send credentials over unencrypted connections.
Request only the scopes you need. Don’t request admin access for read-only operations.
Periodically rotate API keys. Immediately revoke any compromised credentials.
Monitor API usage for unusual patterns. Investigate unexpected spikes.
Where possible, restrict API access to known IP addresses.

Related Documentation

API Introduction

API overview

Work Orders API

Work order endpoints

Customers API

Customer endpoints

Integrations

Integration setup