Create a dedicated API Client in Jamf Pro under Settings > System > API Roles and Clients; assign only the minimum required role privileges
POST client credentials (client_id and client_secret) to https://{your-jamf-instance}/api/oauth/token with Content-Type: application/x-www-form-urlencoded and grant_type=client_credentials
Extract the access_token value from the JSON response; it is valid for the duration specified in expires_in (seconds)
Include the token in subsequent requests as Authorization: Bearer {access_token}
Before expiry, POST to https://{your-jamf-instance}/api/v1/auth/keep-alive with the current valid token to receive a refreshed token without re-authenticating
Invalidate the token after use by POST to https://{your-jamf-instance}/api/v1/auth/invalidate-token
Known gotchas
Basic authentication directly against /api/v1/auth/token still works but Jamf deprecated it in favor of API Clients (OAuth client credentials) for production automation; plan migration accordingly
Tokens expire after 20 minutes by default; long-running scripts must implement keep-alive or token refresh logic to avoid mid-run 401 errors
API Client credentials are scoped per client; do not reuse a single client across unrelated automation pipelines, as a compromised secret would expose all associated operations
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp