> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mobula.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth Tokens (short-lived)

> Create, list, inspect, and revoke short-lived API tokens. Use them with Bearer authorization only.

Short-lived API tokens are JWTs issued from your static API key. They have an expiration time and an optional request limit. Use them when you need to give a time-bound credential to a client (e.g. server issuing tokens for a frontend or worker) without sharing your main API key.

<Warning>
  **Always use Bearer.** When calling any Mobula API with a short-lived token, send it in the header as `Authorization: Bearer <token>`. Do **not** use the `x-api-key` header for short-lived tokens.
</Warning>

All endpoints below require your **static API key** in the request (e.g. `Authorization: YOUR_API_KEY` or `x-api-key: YOUR_API_KEY`). Short-lived tokens are available on **Startup, Growth, and Enterprise** plans.

***

## Create tokens

**`POST /api/2/auth/tokens`**

Creates one or more short-lived tokens. Each token is returned once; store it securely.

### Request body

You must provide **at least one** of the following fields.

| Field          | Type   | Required | Description                                                                              |
| -------------- | ------ | -------- | ---------------------------------------------------------------------------------------- |
| `expiresIn`    | number | No       | Lifetime in milliseconds. Min 60000 (1 min), max 86400000 (24 h). Default 3600000 (1 h). |
| `count`        | number | No       | Number of tokens to create (1–25). Default 1.                                            |
| `requestLimit` | string | No       | Max requests allowed per token. Positive integer, max 1000000. Default 5000.             |

### Example

```bash theme={null}
curl -X POST "https://api.mobula.io/api/2/auth/tokens" \
  -H "Authorization: YOUR_STATIC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"expiresIn": 3600000, "count": 1, "requestLimit": "1000"}'
```

### Response

<Warning>
  The `token` value is **returned only once**. Store it securely; you cannot retrieve it again.
</Warning>

```json theme={null}
{
  "createApiTokens": [
    {
      "id": "uuid-of-the-token",
      "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "expiresTimeString": "2025-03-10T12:00:00.000Z",
      "requestLimit": "1000",
      "remaining": "1000"
    }
  ]
}
```

Use the `token` value in subsequent API calls as:

```bash theme={null}
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

**Rate limit:** Up to 5 token-creation requests per minute per API key.

***

## List tokens

**`GET /api/2/auth/tokens`**

Returns all active short-lived tokens for your API key. The token secret is not returned.

### Example

```bash theme={null}
curl -X GET "https://api.mobula.io/api/2/auth/tokens" \
  -H "Authorization: YOUR_STATIC_API_KEY"
```

### Response

```json theme={null}
{
  "apiTokens": [
    {
      "id": "uuid-of-the-token",
      "expiresTimeString": "2025-03-10T12:00:00.000Z",
      "requestLimit": "1000",
      "remaining": "750"
    }
  ]
}
```

***

## Inspect one token

**`GET /api/2/auth/token?token=<jwt>`**

Returns metadata for a single short-lived token by its JWT string. Requires your static API key and the `token` query parameter set to the full JWT.

### Query parameters

| Parameter | Type   | Required | Description                     |
| --------- | ------ | -------- | ------------------------------- |
| `token`   | string | Yes      | The short-lived JWT to inspect. |

### Example

```bash theme={null}
curl -X GET "https://api.mobula.io/api/2/auth/token?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Authorization: YOUR_STATIC_API_KEY"
```

### Response

```json theme={null}
{
  "apiToken": {
    "id": "uuid-of-the-token",
    "expiresTimeString": "2025-03-10T12:00:00.000Z",
    "requestLimit": "1000",
    "remaining": "750"
  }
}
```

***

## Revoke a token

**`DELETE /api/2/auth/tokens/:id`**

Revokes a short-lived token by its `id`. The token stops working immediately.

### Path parameters

| Parameter | Type   | Required | Description                                                                    |
| --------- | ------ | -------- | ------------------------------------------------------------------------------ |
| `id`      | string | Yes      | Token ID (UUID) returned when the token was created or from the list endpoint. |

### Example

```bash theme={null}
curl -X DELETE "https://api.mobula.io/api/2/auth/tokens/uuid-of-the-token" \
  -H "Authorization: YOUR_STATIC_API_KEY"
```

### Response

```json theme={null}
{
  "deleteApiToken": "uuid-of-the-token"
}
```

***

## Using a short-lived token on other endpoints

After creating a token, use it for any Mobula API call by sending it **only** in the Bearer header:

```bash theme={null}
curl -X GET "https://api.mobula.io/api/1/market/data?asset=bitcoin" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
```

Do **not** send the short-lived token in `x-api-key`. Use `Authorization: Bearer <token>` only.

<Card title="Authentication overview" icon="key-skeleton" href="/rest-api-reference/authentification">
  Back to API key and short-lived token overview
</Card>
