Skip to content

Authorization Tokens

Authorization tokens are provided when a user is authenticated for secure content. They will be provided as a header, and any secured endpoint should be called with the same header, otherwise an Unauthorized response will be provided.

Note

Javascript based applications, such as the dashboard, do not use the header directly, for security reasons. Instead, a cookie is automatically managed by the API. Any other client must use the Authorization header, as explained here.

When a token endpoint is successful, it will return a token via the Authorization header. To access a secured endpoint, provide this same header/value with the request.

Refresh Tokens

A token is only good for a short amount of time. Any secured endpoint may provide a new token at any time, so all requests that are made to secure endpoints should be checked for a new Authorization header in the response. A new token will only be provided if the old one has expired.

Once a new token is provided by the API, all subsequent requests (to secured endpoints) must use the new token.

Note

Due to concurrency issues, a token that has expired is still allowed for up to 60 seconds. After that, any request that is sent with the expired token will fail.