Skip to main content

Overview

Partner authentication in Toku uses scoped API tokens. Your backend obtains a token by calling the createUserApiToken endpoint with your organization credentials, then includes that token in all subsequent API requests.
Before you begin, you’ll need organization credentials from Toku. Contact Toku to provision your organization and obtain initial credentials.

Token Exchange Flow

For detailed information on token concepts and security best practices, see API Authentication.
1

Obtain initial credentials

Toku provisions your organization with initial credentials during onboarding. Store these securely.
2

Create an API token

Call POST /createUserApiToken with your organization credentials:
Response:
Store the token securely — it cannot be retrieved again.
3

Use the token in requests

Include the token in every API request:
4

Refresh before expiry

Tokens expire after 30 days. Refresh before expiry using POST /refreshUserApiToken:
Response:

Required Headers

Every request must include these headers:

Token Scoping

Each API token is scoped to a single organization and inherits the permissions of the user who created it. If the user’s role is revoked, the token stops working.

Role Types

The x-role-type header determines request permissions:

Rate Limits

API requests are rate-limited to 100 requests per minute per IP. For details on rate limit errors and other error responses, see Error Handling.

Next Steps

Create API Token

Endpoint reference for token creation

Refresh API Token

Endpoint reference for token refresh