Connect Domain
Authentication

Widget tokens

Minting short-lived JWTs via POST /v1/tokens for one connect flow.

The widget must never see an API key. Instead your backend mints a short-lived JWT and hands it to the browser:

curl -X POST http://localhost:8080/v1/tokens \
  -H "Authorization: Bearer <YOUR_KEY>" \
  -H "Content-Type: application/json" \
  -d '{"application_id":"<APP_ID>","domain":"app.customer.com"}'
# → { "auth_token": "...", "expires_at": "..." }
  • The token is bound to the application and (optionally) a single domain. A domain-bound token may only act on that hostname.
  • TTL is 60 minutes; on expiry the widget surfaces "session expired" and your host app mints a fresh token.
  • Minting requires the calling key to hold connections:write (so a read-only key can't escalate to write via the widget surface).
  • A widget JWT carries connections:read + connections:write and is accepted on the browser-facing endpoints (domains:check, connections, connections/{id}, records:check).

See The widget SDK for how the browser uses this token, and Create a connection for the API calls it drives.