Acumatica - Get Your API Credentials

Karl Falconer · Updated

This article walks through getting the API credentials DropStream needs to import orders from your Acumatica ERP. If you’re setting up DropStream for your own Acumatica instance, complete these steps and then continue with Enable API Access. If a third-party fulfillment provider is configuring DropStream for you, complete these steps and share the resulting values with them — they’ll handle the rest.

Acumatica authenticates with the OAuth 2.0 Resource Owner Password Credentials grant. You’ll come away with five values:

  • Instance URL — the base URL of your Acumatica instance, e.g. https://myerp.acumatica.com.
  • Client ID — generated when you save the Connected Application.
  • Client Secret — the Shared Secret value you generate (shown only once).
  • Username and Password — the login of a dedicated Acumatica integration user.

The work is in two parts: first create the integration user, then register the Connected Application that issues the Client ID and Shared Secret.

Note: This is different from setting up Acumatica as a fulfillment destination. The destination uses the Authorization Code flow with a redirect URI; the order source uses Resource Owner Password Credentials, which has no redirect URI and instead relies on the integration user’s username and password.

1. Create a Dedicated Integration User

Use a dedicated Acumatica user for the integration rather than a person’s login. A person’s password changes, their access may be revoked when they leave, and their sign-ins compete with DropStream for Acumatica’s concurrent-login limit. A dedicated user keeps the connection stable and makes its activity easy to audit.

  1. Sign in to Acumatica as an administrator.
  2. Open User Security > Users (form SM201010; you can also type Users into the search bar).
  3. Click + to add a new user. Give it a clear Login such as dropstream, set a strong Password, and clear any “force password change on next login” option so the password stays stable.
  4. Assign a Role (or roles) that grant access to the data DropStream reads and writes:
    • Sales Orders — read (to import orders).
    • Shipments — read and write (to import shipments and post tracking back).
    • Inventory — read (for SKU and warehouse lookups).
    • Access to the contract-based REST API / the Default endpoint.

    If your security model uses a single integration role, make sure it covers the Sales Order, Shipment, and Inventory entities above. Granting less will cause the integration to fail at runtime, not at setup.

  5. Save the user. The Login and Password you set here are the Username and Password you’ll enter into DropStream.

Tip: Acumatica limits the number of concurrent API logins per user (the Number of Connections / Maximum Number of Sign-Ins setting on the license and user). If you run other integrations against the same user, give the integration user enough headroom or a license type that permits the API connections it needs.

2. Register a Connected Application

The Connected Application is what issues the Client ID and Shared Secret.

  1. Sign in to your Acumatica ERP instance. At the login screen, specify the Tenant and enter a valid Username and Password, then click Sign In.

    Acumatica login screen

  2. From the Acumatica home page, open More Items > Integration.

    In Acumatica, open More Items then Integration

  3. Click Show All, then under Preferences click Connected Applications.

    In Acumatica's Integration workspace, click Show All

    Under Preferences, click Connected Applications

  4. Click + to add a new record.

    On the Connected Applications screen, click the + button to add a new record

  5. Enter a descriptive Client Name, such as DropStream, and leave Active checked.

  6. For OAuth 2.0 Flow, select Resource Owner Password Credentials.

    Selecting this flow is what makes the application work for an order source.

  7. Under Refresh Tokens, set:

    Setting Value Why
    Mode Sliding Expiration Each time DropStream refreshes the token, its lifetime resets — so an actively-running connection never expires.
    Absolute Lifetime Infinite (leave with no fixed cap) Prevents the refresh token from hard-expiring on a fixed schedule regardless of activity. Acumatica recommends no absolute expiration for long-running integrations.
    Sliding Lifetime 15 days The window within which DropStream must use the token to keep it alive. DropStream polls continuously, so 15 days is comfortable.

  8. Open the Secrets tab and click Add Shared Secret.

  9. In the Add Shared Secret window:
    • Enter a Description, such as DropStream.
    • Set Expires On (UTC) — see About the Shared Secret expiration below. Leaving it blank means the secret never expires.
    • Copy the Value exactly and store it securely. This is your Client Secret, and Acumatica shows it only once — it cannot be retrieved later.
    • Click OK.

    The Add Shared Secret window: enter a Description, optionally set Expires On, and copy the Value

  10. Click the Save (disk) icon to save the application. After saving, Acumatica generates and displays the Client ID in the field at the top of the form. Copy it. The Client ID is a GUID with your tenant name appended, in the form <GUID>@<Tenant> — for example 03539A80-9BBD-231F-0435-7FBC92E9CD3F@MyCompany. Enter it into DropStream exactly as shown, including the @<Tenant> suffix.

You now have everything DropStream needs: the Instance URL, Client ID, Client Secret (Shared Secret), and the integration user’s Username and Password. Continue with Enable API Access.

About the Shared Secret expiration

The Expires On (UTC) date you set when creating the Shared Secret controls how long that secret is valid:

  • Leave it blank and the secret never expires. For an unattended integration this is the simplest, most reliable choice — there’s nothing to lapse and break the connection.
  • Set a date if your security policy requires secret rotation. Choose a date far enough out to avoid surprise outages (for example, one to two years), and put a calendar reminder a few weeks ahead of it.

When a Shared Secret expires, Acumatica stops issuing tokens for the application. DropStream can no longer authenticate, and order import plus tracking writeback stop until you rotate the secret. To rotate without downtime: add a new Shared Secret in the Connected Application, copy its value, update the Client Secret in DropStream, confirm the connection works, then remove the old secret.

About refresh tokens

DropStream requests the offline_access scope (the default token scope is api offline_access), so Acumatica returns a refresh token alongside each access token. DropStream uses that refresh token to renew access in the background — it does not re-send the username and password on every request.

With Sliding Expiration and an Infinite absolute lifetime, the refresh token stays valid as long as it’s used at least once per Sliding Lifetime window (15 days above). Because DropStream polls Acumatica continuously, the token keeps “sliding” forward and effectively never expires. If the connection is paused for longer than the sliding window, the refresh token lapses and DropStream re-authenticates from scratch with the integration user’s username and password — which is why those credentials must stay valid even though day-to-day operation relies on the refresh token.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.