Get an API access token

Generates a unique token with every successful call

  • Tokens are kept in a distributed key-value store
  • Users which are mapped to authentication sources of type pki are required to include their client certificate with every request where the authentication token obtained here is used
  • Obtaining authorization tokens using a client certificate is not currently supported in the API Explorer UI
  • A given user can have a maximum of 10 tokens in use at the same time.
    • Additional token requests beyond that limit will cause older tokens (expired or not) to be deleted to allow new token provisioning
    • See also DELETE /auth/token - users can explicitly delete their authentication tokens (instead of waiting for token expiration or rotation)
  • Token will be usable for the number of minutes stored in the token_lifetime property of the calling user's database record
  • To determine what the value of token_lifetime is for the calling user, see the value returned within GET /api/users/current
  • The default token_lifetime property value is 30 (minutes).
  • Set the X-Auth-Refresh-Token header to true with any authenticated API call in order to automatically extend the token expiration for the calling user.
    Requires the token used in the authenticated request to be valid and not yet expired