Authentication
AURA authenticates every request with a bearer token (a JWT) generated from
your clientId and clientSecret. These credentials identify your integration
— your customer source — and must only ever be used from a backend.
How it works
- Exchange your server credentials for a bearer token.
- Send that token in the
Authorizationheader on every request. - Request a new token when the current one expires.
For the exact request and response, see
Exchange credentials for a token
in the API Reference. A callout-scoped token adds a customer
lookup — an unknown customerId returns 404.
Token types
- Server token — for backend integrations. Carries the full access of your customer source.
- Callout-scoped token — a narrower token limited to a single customer’s
callout flow. Use it for sessions that should not carry full access. A
callout-scoped token is rejected with
401on any endpoint outside the callout flow. See Create a callout-scoped token.
Token lifetime
Token lifetime is fixed per customer source and returned as expiresIn
(seconds). It is not a request parameter — it can only be changed by the AURA
engineering team on request. Refresh by requesting a new token rather than
creating one per request, and never expose credentials or tokens in client
applications.
If your integration needs a different lifetime cadence, contact the AURA engineering team.