POST /auth/api/token
Issue a new access + refresh token pair.
Exchange the API key for a short-lived accessToken (used on every
other endpoint) and a refreshToken. Call once at process boot, not
per-request.
Use case
Service startup: read API_KEY from secrets, call this, cache
accessToken in memory, persist refreshToken for restarts.
Headers
| Header | Required | Description |
|---|---|---|
x-api-key | yes | Your client API key. |
Body
None.
Response 200
{
"accessToken": "<jwt>",
"refreshToken": "<string>",
"expiresIn": 900,
"tokenType": "Bearer"
}
| Field | Description |
|---|---|
accessToken | JWT to send as Authorization: Bearer … on every other request. |
refreshToken | Use on POST /auth/api/refresh. |
expiresIn | Access-token lifetime in seconds. |
tokenType | Always Bearer. |
Errors
| Status | Meaning |
|---|---|
401 | Missing x-api-key. |
403 | API key invalid or inactive. |
Example
curl -X POST "$BASE_URL/auth/api/token" \
-H "x-api-key: $API_KEY"