Overview
Partner authentication in Toku uses scoped API tokens. Your backend obtains a token by calling thecreateUserApiToken endpoint with your organization credentials, then includes that token in all subsequent API requests.
Before you begin, you’ll need organization credentials from Toku. Contact Toku to provision your organization and obtain initial credentials.
Token Exchange Flow
For detailed information on token concepts and security best practices, see API Authentication.1
Obtain initial credentials
Toku provisions your organization with initial credentials during onboarding. Store these securely.
2
Create an API token
Call Response:Store the token securely — it cannot be retrieved again.
POST /createUserApiToken with your organization credentials:3
Use the token in requests
Include the token in every API request:
4
Refresh before expiry
Tokens expire after 30 days. Refresh before expiry using Response:
POST /refreshUserApiToken:Required Headers
Every request must include these headers:Token Scoping
Each API token is scoped to a single organization and inherits the permissions of the user who created it. If the user’s role is revoked, the token stops working.Role Types
Thex-role-type header determines request permissions:
Rate Limits
API requests are rate-limited to 100 requests per minute per IP. For details on rate limit errors and other error responses, see Error Handling.Next Steps
Create API Token
Endpoint reference for token creation
Refresh API Token
Endpoint reference for token refresh
