Get Started with API Keys

To create an API Key, navigate to your Account Settings by clicking your name in the portal navigation and selecting "Account Settings" or going to

The API Keys section allows you to create and revoke API Keys and their associated secrets. API Keys provide you the ability to automate actions on behalf of your account while keeping your password and other account information secure.

Keys and Secrets

API Keys and their Key ID may be thought of as the username for the account. This ID can be viewed and copied at any time. Each key may have multiple "shared secrets" which serve as the "password" for the key. These shared secrets are only visible at the time they are created for security purposes.

Each shared secret created after the initial default secret may have a description added and a time for its expiration set automatically. Secrets may also be revoked at any time or the entire key may be deleted, revoking its secrets with it.

Retrieving a Bearer Token

API Keys are used to retrieve a bearer token from Centersquare's bearer token endpoint. Bearer tokens are used to authenticate any of the Portal APIs and are valid for 1 hour after their creation. To retrieve a bearer token, provide an API Key ID and an active shared secret associated with the key as the client_id and client_secret, respectively to the following endpoint. The request must be sent as a URL encoded form.

See example below, replacing KEYID and SHAREDSECRET with your credentials.

curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=KEYID' \
--data-urlencode 'client_secret=SHAREDSECRET'
POST /connect/token HTTP/1.1
Content-type: application/x-www-form-urlencoded

const https = require('follow-redirects').https;
const fs = require('fs');

const qs = require('querystring');

let options = {
		'method': 'POST',
		'hostname': '',
		'path': '/connect/token',
		'headers': {
				'Content-Type': 'application/x-www-form-urlencoded'
		'maxRedirects': 20

const req = https.request(options, (res) => {
		let chunks = [];

		res.on("data", (chunk) => {

		res.on("end", (chunk) => {
				let body = Buffer.concat(chunks);

		res.on("error", (error) => {

let postData = qs.stringify({
		'grant_type': 'client_credentials',
		'client_id': 'KEYID',
		'client_secret': 'SHAREDSECRET'



The returned response will be JSON, with the bearer token returned in the access_token key.

    "access_token": "BEARER_TOKEN",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": ""

With the Bearer Token saved, future API requests can be authenticated by providing a request header in the form of authorization: Bearer BEARER_TOKEN, replacing BEARER_TOKEN with the token provided earlier. Note that the expiration for the token is also provided in the request. Tokens currently expire one hour after they are provided.