Skip to main content

Overview

The Toku API uses Bearer token authentication. Every request must include a personal API token in the Authorization header, along with a role type header specifying the permission context.

Getting Your API Token

1

Create a token

Call the createUserApiToken endpoint with your existing session credentials, or ask a Toku administrator to provision one for you.
The response includes your new API token. Store it securely — it cannot be retrieved again.
2

Use the token

Include the token in every API request:
3

Refresh when needed

Tokens expire after 30 days. Refresh before expiry:

Required Headers

Role Types

The x-role-type header determines what permissions your request has. Your API token must belong to a user with the specified role in the organization.
For most 3rd party integrations, CLIENT_ORG_ADMIN is the recommended role type. It provides full access to grants, wallets, employees, and organization settings.

Token Scoping

Each API token is scoped to a single organization. If you manage multiple organizations, you need a separate token for each. The token inherits the permissions of the user who created it. If the user’s role is revoked, the token stops working.

Security Best Practices

  • Never expose tokens in client-side code — API tokens should only be used in server-to-server communication
  • Rotate tokens regularly — use refreshUserApiToken to get a new token before the current one expires
  • Use the minimum required role — if your integration only needs to read grants, consider using a role with read-only access
  • Monitor usage — Toku logs all API access by token for audit purposes

Error Responses