Get an access token
Exchange your publishable key at the token endpoint. The endpoint itself is unauthenticated — the credential travels in the body:cURL
Response
The token to send as
Authorization: Bearer <access_token>.Token lifetime in seconds. Request a new token when it expires — exchanges
are cheap, so exchanging shortly before expiry is the simplest strategy.
The agent your messaging calls will run against. The token carries the agent,
so messaging requests never include an
agent_id in the body.Your publishable key is issued in the AUI Console. Publishable keys are safe
to use from client-side code — that’s what makes them “publishable” — and can
additionally be restricted to allowed web origins and IP ranges.
Which credential for which surface
| Surface | Paths | Accepted credentials |
|---|---|---|
| Messaging | /messaging/v1/... | Bearer token (from a publishable key) |
| Management | /management/v1/... | Bearer token (from a login session) or organization API key |
Organization API key (management only)
Server-to-server management calls can skip the token flow and authenticate with your organization API key in a header:WebSocket authentication
The WebSocket session authenticates on the upgrade request with the same Bearer token:1008 (policy violation). See WebSocket.
Failed authentication
Requests without a valid credential return401 in the standard
error envelope:
401
400
Best practices
Reuse tokens for their lifetime
Exchange once and reuse the token until
expires_in elapses rather than
exchanging per request.