Skip to main content
POST
/
api
/
auth
/
access-tokens
Mint Access Token
curl --request POST \
  --url https://api.kynasmith.dev/api/auth/access-tokens \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "api_key": "<string>",
  "api_key_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "api_key_secret": "<string>",
  "project_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "scopes": [
    "<string>"
  ],
  "service_account_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "service_account_secret": "<string>"
}
'
{
  "access_token": "<string>",
  "expires_in_seconds": 123,
  "organization_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "project_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "token_type": "Bearer"
}

Documentation Index

Fetch the complete documentation index at: https://docs.kynasmith.dev/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Headers

Idempotency-Key
string | null

Body

application/json

Machine credential exchange request for POST /api/auth/access-tokens.

Migration path (#6, #53):

The preferred shape is evolving toward { api_key, scopes? } where the project scope is inferred from the authenticated credential. During the migration window both the legacy dual-credential shape and the simplified api_key shorthand are accepted.

When project_id is omitted the API infers the project scope from the authenticated credential. When provided, the API validates it matches.

api_key
string | null

Simplified API key secret. When provided as the sole credential field, the backend resolves the key by its secret hash. Preferred over the legacy api_key_id + api_key_secret pair.

api_key_id
string<uuid> | null

API key identifier, if using the legacy credential pair.

api_key_secret
string | null

API key secret, if using the legacy credential pair.

project_id
string<uuid> | null

Explicit project context for the access token request. When omitted, inferred from the authenticated credential.

scopes
string[]

Requested access-token scopes.

service_account_id
string<uuid> | null

Service-account identifier, if using a service account.

service_account_secret
string | null

Service-account secret, if using a service account.

Response

Successful Response

Access-token exchange response.

access_token
string
required

Short-lived backend-signed access token.

expires_in_seconds
integer
required

Access-token lifetime in seconds.

organization_id
string<uuid>
required

Bound organization identifier.

project_id
string<uuid>
required

Bound project identifier.

token_type
string
default:Bearer

Bearer token type marker.

Allowed value: "Bearer"