Skip to main content
Short-lived API tokens are JWTs issued from your static API key. They have an expiration time and an optional request limit. Use them when you need to give a time-bound credential to a client (e.g. server issuing tokens for a frontend or worker) without sharing your main API key.
Always use Bearer. When calling any Mobula API with a short-lived token, send it in the header as Authorization: Bearer <token>. Do not use the x-api-key header for short-lived tokens.
Beta. For testing use https://demo-api.mobula.io.
All endpoints below require your static API key in the request (e.g. Authorization: YOUR_API_KEY or x-api-key: YOUR_API_KEY). Short-lived tokens are available on Startup, Growth, and Enterprise plans.

Create tokens

POST /api/2/auth/tokens Creates one or more short-lived tokens. Each token is returned once; store it securely.

Request body

You must provide at least one of the following fields.
FieldTypeRequiredDescription
expiresInnumberNoLifetime in milliseconds. Min 60000 (1 min), max 86400000 (24 h). Default 3600000 (1 h).
countnumberNoNumber of tokens to create (1–25). Default 1.
requestLimitstringNoMax requests allowed per token. Positive integer, max 1000000. Default 5000.

Example

curl -X POST "https://api.mobula.io/api/2/auth/tokens" \
  -H "Authorization: YOUR_STATIC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"expiresIn": 3600000, "count": 1, "requestLimit": "1000"}'

Response

The token value is returned only once. Store it securely; you cannot retrieve it again.
{
  "createApiTokens": [
    {
      "id": "uuid-of-the-token",
      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "expiresTimeString": "2025-03-10T12:00:00.000Z",
      "requestLimit": "1000",
      "remaining": "1000"
    }
  ]
}
Use the token value in subsequent API calls as: 
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Rate limit: Up to 5 token-creation requests per minute per API key.

List tokens

GET /api/2/auth/tokens Returns all active short-lived tokens for your API key. The token secret is not returned.

Example

curl -X GET "https://api.mobula.io/api/2/auth/tokens" \
  -H "Authorization: YOUR_STATIC_API_KEY"

Response

{
  "apiTokens": [
    {
      "id": "uuid-of-the-token",
      "expiresTimeString": "2025-03-10T12:00:00.000Z",
      "requestLimit": "1000",
      "remaining": "750"
    }
  ]
}

Inspect one token

GET /api/2/auth/token?token=<jwt> Returns metadata for a single short-lived token by its JWT string. Requires your static API key and the token query parameter set to the full JWT.

Query parameters

ParameterTypeRequiredDescription
tokenstringYesThe short-lived JWT to inspect.

Example

curl -X GET "https://api.mobula.io/api/2/auth/token?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Authorization: YOUR_STATIC_API_KEY"

Response

{
  "apiToken": {
    "id": "uuid-of-the-token",
    "expiresTimeString": "2025-03-10T12:00:00.000Z",
    "requestLimit": "1000",
    "remaining": "750"
  }
}

Revoke a token

DELETE /api/2/auth/tokens/:id Revokes a short-lived token by its id. The token stops working immediately.

Path parameters

ParameterTypeRequiredDescription
idstringYesToken ID (UUID) returned when the token was created or from the list endpoint.

Example

curl -X DELETE "https://api.mobula.io/api/2/auth/tokens/uuid-of-the-token" \
  -H "Authorization: YOUR_STATIC_API_KEY"

Response

{
  "deleteApiToken": "uuid-of-the-token"
}

Using a short-lived token on other endpoints

After creating a token, use it for any Mobula API call by sending it only in the Bearer header: 
curl -X GET "https://api.mobula.io/api/1/market/data?asset=bitcoin" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Do not send the short-lived token in x-api-key. Use Authorization: Bearer <token> only.

Authentication overview

Back to API key and short-lived token overview