I’m new to SailPoint ISC and have been exploring the v2025 REST APIs. I’ve noticed that not all endpoints appear to support the non-PAT (Personal Access Token) Client Credentials, and I was hoping someone could clarify why that is? If there’s a document that outlines why some endpoints don’t allow pure Client Credentials, I’d really appreciate if you could point me to it.
We’re looking to build some integrations using the “/accounts” and “/identities” endpoints and ideally would prefer not to rely on a PAT tied to an individual SailPoint user account.
Interestingly, the “/accounts” endpoint seems to work with Client Credentials in v2025, even though the documentation only lists PAT as a supported under “AUTHORIZATION: OAUTH2” ( list-accounts | SailPoint Developer Community ). In contrast, the “/identities” endpoint appears to require a PAT, consistent with the documentation.
Hi Ryan, Welcome to SailPoint Developer Community,
The key difference is user context. Client Credentials tokens aren’t associated with a user, while PATs are linked to the user who created them. Some endpoints require user context for authorization and audit tracking - the /identities endpoint needs to know which user is making the request, so it requires a PAT. The /accounts endpoint doesn’t have this requirement, which is why it works with Client Credentials.
Unfortunately, there’s no single document listing which endpoints require user context. For your integration with both /accounts and /identities, you’ll need to use a PAT.
Hi @sita_ram, Thank you for the quick response and explanation!
I suppose a follow-up question I have (for SailPoint) is, if certain endpoints and permissions are only available when using a PAT; why are they listed as options when you create a “non-PAT” Client Credential:
Posting a quick update: it looks like an Idea was created to expand Client Credentials support to more endpoints. Feel free to take a look and vote here: https://ideas.sailpoint.com/ideas/GOV-I-4588
