Issues an access token with the OAuth 2.0 client_credentials grant (machine / server-to-server). No x-api-key on later API calls—company is in the JWT. Not for dashboard user refresh; use POST /v3/auth/token for Supabase refresh tokens. No refresh token; re-request when expired (~1h).

Send client_id, client_secret, and grant_type=client_credentials in the form (optional scope). The API also accepts RFC 6749 client authentication via Authorization: Basic (e.g. curl -u); that is not a separate OpenAPI security scheme—the oauth2 scheme above is for calling other endpoints after you obtain a Bearer token from this URL.

Swagger: Use Authorize → oauth2 (client credentials) on /availability and the rest of the API. For this request, fill the form fields only; this operation sets security: [] so the explorer does not attach Bearer to the token request.