Skip to main content
The Simply Tokenized API uses a client credentials flow. Exchange your client_id and client_secret for a short-lived JWT bearer token.

Flow

Request

POST /_api/auth
FieldTypeRequiredDescription
client_idstringYesAPI credential identifier
client_secretstringYesAPI credential secret
scopesstring[]YesFine-grained permissions to request (see Scopes)
api_versionstringNoAPI contract date (YYYY-MM-DD). Defaults to credential default or 2026-07-02 (beta)

Response

FieldTypeDescription
access_tokenstringJWT bearer token
token_typestringAlways "Bearer"
expires_atstringISO 8601 expiry timestamp

JWT claims

The access token is an HS256 JWT with these claims:
ClaimDescription
client_idAPI credential ID
tenant_idTenant the credential belongs to
scopesGranted fine-grained permissions
api_versionLocked API contract version (e.g. 2026-07-02, currently beta)
issst-external-api
audst-api
iat / expIssued at / expiry (10-minute TTL)

Token validity

Access tokens are valid for 600 seconds (10 minutes). After expiry, call POST /_api/auth again.

Response headers

HeaderDescription
ST-Api-VersionAPI contract version used for the response (e.g. 2026-07-02)
ST-Api-Version-Betatrue for beta versions — sent on all 2026-07-02 responses

Using the token

Include the token on all protected requests:
Authorization: Bearer {access_token}

Using the API playground

The API Reference includes an interactive playground on each endpoint. You do not need to paste your bearer token on every request — set it once and reuse it across endpoints.
1

Get an access token

Open Authenticate (POST /_api/auth) in the API Reference. Run the request with your client_id, client_secret, and scopes. Copy the access_token from the response.
2

Authorize once

In the API Reference, open the Auth (or Authorize) section. Paste your access_token into the bearer token field. You do not need to include the Bearer prefix — the playground adds it automatically.
3

Try any endpoint

Navigate to any protected endpoint and use Try it. The playground sends your saved token on every request until you clear it or it expires.
4

Refresh when expired

Access tokens expire after 10 minutes. When requests start returning 401, call POST /_api/auth again and update the token in the Auth section.
The playground stores your token in your browser’s local storage for this documentation site. It persists when you move between endpoints and refresh the page, but it is not shared across browsers or devices.
For longer testing sessions, use a REST client such as Postman or Insomnia with a saved environment variable for access_token.

Failed authentication alerts

After 3 consecutive failed authentication attempts for the same API credential, an email notification is sent to the tenant administrators. The API credential is not automatically disabled. If you receive repeated failure alerts, verify your client_id and client_secret, confirm you are calling the correct environment base URL, and rotate the credential if the secret may have been compromised.

Security notes

  • Never expose client_secret in client-side code or public repositories
  • Store credentials in environment variables or a secrets manager
  • Request only the scopes your integration needs