Authentication
Widget tokens
Minting short-lived JWTs via POST /v1/tokens for one connect flow.
The widget must never see an API key. Instead your backend mints a short-lived JWT and hands it to the browser:
curl -X POST http://localhost:8080/v1/tokens \
-H "Authorization: Bearer <YOUR_KEY>" \
-H "Content-Type: application/json" \
-d '{"application_id":"<APP_ID>","domain":"app.customer.com"}'
# → { "auth_token": "...", "expires_at": "..." }- The token is bound to the application and (optionally) a single
domain. A domain-bound token may only act on that hostname. - TTL is 60 minutes; on expiry the widget surfaces "session expired" and your host app mints a fresh token.
- Minting requires the calling key to hold
connections:write(so a read-only key can't escalate to write via the widget surface). - A widget JWT carries
connections:read+connections:writeand is accepted on the browser-facing endpoints (domains:check,connections,connections/{id},records:check).
See The widget SDK for how the browser uses this token, and Create a connection for the API calls it drives.