Authentication & Access
Dynamic Planner’s Open API uses two layers of security and standards-based OAuth 2.0 with OpenID Connect support:
- Subscription Key — identifies your application to Dynamic Planner’s API gateway.
- OAuth 2.0 Access Token — authorises requests on behalf of a user or service.
All requests must include both.
Example Request
GET https://open-api.dynamicplanner.com/crm/v1/clients
Authorization: Bearer <access_token>
Ocp-Apim-Subscription-Key: <subscription_key>
Accept: application/json
1) Quick Start
Step 1 — Request Access
Email support@dynamicplanner.com or your Dynamic Planner contact with the following information:
- Your Name and Company
- Preferred OAuth flow (Client Credentials or Authorisation Code)
- Redirect URI(s) (mandatory for Authorisation Code flow)
- Specify which Dynamic Planner API endpoints you plan to use (to assign correct OAuth scopes)
Dynamic Planner will issue:
- Subscription Key(s) for Dev or Prod
- OAuth client registration (client ID, client secret, approved redirect URI)
Step 2 — Configure Your OAuth Client
- Authorize endpoint: https://identity.distribution-technology.com/identity/connect/authorize
- Token endpoint: https://identity.distribution-technology.com/identity/connect/token
- Grant/Flow: choose the one that fits (see table below)
- Scopes: request only what you need (principle of least privilege)
Step 3 — Call the API
Include the access token and subscription key on every request. Handle token expiry (short-lived) by performing a refresh (if enabled) or re-authorising.
2) Two Layers of Security
Subscription Key
Ocp-Apim-Subscription-Key: <subscription_key>
Purpose: identifies your app, enables usage tracking, rate limiting, and abuse prevention.
Keep it secure: treat it like a credential. Do not embed in client-side code.
OAuth 2.0
Dynamic Planner issues Bearer tokens. Your app obtains tokens via an OAuth flow and then calls APIs with:
Authorization: Bearer <access_token>3) Choosing the Right OAuth 2.0 Flow
Use the matrix below to pick a flow based on your architecture and interaction model.
| Flow | Best for | Characteristics | Pros | Considerations |
|---|---|---|---|---|
| Hybrid Flow (Auth Code + ID Token) | Interactive web apps where a user signs in and the app needs both identity and API access | Redirect user to DP Identity Server; Returns ID token + auth code; Backend exchanges code for tokens | Secure for user-facing apps; Supports MFA and consent; Combines identity + API access | Requires redirect handling; Needs server-side code exchange; Redirect URI must be pre-registered |
| Client Credentials Flow | Server-to-server integrations, scheduled jobs, backend services (no user interaction) | App authenticates with client ID/secret; Receives app-only access token; No browser redirects | Simple for headless workloads; No user dependency; Ideal for automation | Token represents application context, not a person; Scopes must be carefully provisioned; Cannot perform user-specific actions |
Only the flows above are supported by Dynamic Planner. If you need a different pattern, speak to your account team; support is determined by use case and risk posture.
4) Scopes & Consent
- Dynamic Planner issues scopes aligned to specific API domains and endpoints (e.g., CRM, Finances, Profiling).
- Allocation model: During onboarding, you describe your integration use case and endpoints. Dynamic Planner assigns minimum required scopes.
- Token context: Access tokens carry claims for Employee and Organisation Unit (OU). API responses are filtered by this context.
- If your integration evolves, request a scope review to update permissions.
5) Environments & Base URLs
Use the same base URL for Dev and Production:
- CRM: https://open-api.dynamicplanner.com/crm/v1
- Finances: https://open-api.dynamicplanner.com/finances/v1