Skip to main content
Questions or issues? Contact us at api-support@manus.ai. This walkthrough creates a credential, mints an OAuth access token, and lists team members. Prerequisites: your team is an Enterprise Team and your account has the Owner or Admin role.

Step 1 — Create an API credential

Credential management RPCs require a session token, not an OAuth token. Open Manus in your browser, then in DevTools → Network copy the Bearer ... value from the Authorization header on any UserInfo request. 
curl --location --request POST 'https://api.manus.im/team.v1.TeamManagementService/CreateApiCredential' \
  --header 'Authorization: Bearer <your-session-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "name": "SailPoint Production"
  }'
The response includes clientId and clientSecret. The secret is shown only once — store it in a secrets manager immediately. 
{
  "clientId": "tm_RRa7dgjD_AFhru6AnZJ8W",
  "clientSecret": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"
}

Step 2 — Mint an OAuth access token

curl --location --request POST 'https://api.manus.im/api/user/manage/v1/oauth/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=tm_RRa7dgjD_AFhru6AnZJ8W' \
  --data-urlencode 'client_secret=<your-client-secret>'
The response carries an access_token valid for 3600 seconds: 
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}
Cache it and reuse for the full hour — minting a fresh token on every request will hit rate limits.

Step 3 — Call a users endpoint

curl --location --request GET 'https://api.manus.im/api/user/manage/v1/users?limit=100&offset=0' \
  --header 'Authorization: Bearer <your-access-token>'

{
  "users": [
    {
      "email": "alice@example.com",
      "userName": "Alice",
      "firstName": "Alice",
      "lastName": "Smith",
      "status": "active",
      "role": "member"
    }
  ],
  "total": 50,
  "limit": 100,
  "offset": 0
}
From here you can:

Considering v2?

v2 of this API replaces session-token credential management with the standard X-API-Key flow (issued from Compliance API settings, no DevTools step) and adds the Profile Migration workflow for taking over a deactivated colleague’s data. Prefer v2 for new integrations.