Skip to content
MyInvois Bridge
Guide · API credentials

Mint M2M credentials and integrate against the bridge REST API.

Machine-to-machine credentials are how your ERP, POS, or accounting system authenticates against the MyInvois Bridge REST API. The flow is OAuth2 client_credentials — standard, but with three Malaysia-specific subtleties (per-company scoping, the LHDN onBehalfOf chain, manual rotation). This guide walks the full lifecycle.

Mint

From the Settings page, in three clicks.

Credentials are minted per company. If you operate multiple companies under one account, each one has its own client_id/client_secret pair — there is no shared root credential.

  • Open Settings → API Credentials, click "Create credential".
  • Name the credential (e.g. "Xero production", "AutoCount staging"). The name is for your records only.
  • The dashboard returns the client_id and a one-time-reveal client_secret. Copy the secret immediately — it's hashed on save and never shown again.
  • Scopes are stored per credential. By default a new credential carries invoice + document permissions; tighten with the RBAC dropdown if you want a read-only credential for analytics.
Use

Token exchange + per-request scoping.

Once you have a credential, the request flow looks like every other OAuth2 client_credentials API.

  • POST to the bridge token endpoint with grant_type=client_credentials and your client_id + client_secret in the body.
  • The response contains an access_token (valid 60 minutes), expires_in, and the granted scopes.
  • Cache the token in-process or in Redis with ~58-minute TTL to leave a safety margin. The bridge itself caches LHDN tokens this way; mirror the pattern on your side.
  • Pass the access_token as Authorization: Bearer <token> on every subsequent API call.
Rotate

Manual revoke + recreate (for now).

Automated rotation with overlap windows is on the roadmap (see /changelog). Today the flow is: create a new credential, switch your integration over, revoke the old one. The revocation audit log captures who revoked, when, and why — useful at year-end.

  • Settings → API Credentials → click "Revoke" on the old credential.
  • Type the reason (e.g. "quarterly rotation", "engineer left", "suspected leak").
  • Revoked credentials cannot mint new tokens; in-flight cached tokens still work until expiry (60 minutes). Plan the cutover accordingly.
Book a free assessment

Last updated · May 2026

Independent reference. MyInvois is operated by LHDN. We are not affiliated with LHDN.