The Customer API should support machine-to-machine OAuth using the client_credentials grant type, where the calling service asserts Reader Group IDs via request headers. The API should enforce article-level ACL based on those groups server-side, returning only content the asserted group has access to — without requiring a user session or JWT tied to an individual reader. Currently the Customer API only supports static api_token authentication with no reader-group-based access control.

Use case: A media and services enterprise has a server-to-server middleware integration with no end user session. Their integration layer needs to call Document360 APIs directly on behalf of service agents, with reader-group-based ACL enforced so each agent only sees articles their group has access to. Static API tokens do not support this — they either return everything or nothing.

How this helps users: Unlocks Document360 as an embedded KB for enterprise service platforms where SSO or user-session-based auth is not feasible. Enables secure, role-based content delivery via API in server-to-server integrations — a common pattern in SAP, Salesforce, and ServiceNow ecosystems.