TokenExchangeResponse

Successful response from POST /v1/auth/token. For the api_key grant, subject.type is always service_account.

accessToken
Type: string
required

Short-lived JWT (1 hour) for use in the Authorization header.
expiresAt
Type: stringFormat: date-time
required

ISO-8601 timestamp at which the token expires.
expiresIn
Type: integer
required

Token lifetime in seconds.
scopes
Type: array string[]
required

Permission scopes carried by this token; mirrors the API key's scopes.
subject
Type: object · Subject
required

Identifies the entity (service account, user, or embed session) the token represents.
- id
  Type: string
  required
  
  Stable ID for the subject (UUID).
- type
  Type: stringenum
  required
  values
  user
  service_account
  embed
- mode
  Type: stringenum
  
  Mode of the namespace this token operates in. Absent on org-scoped tokens.
  
  values
  live
  test
- namespaceKey
  Type: string
  
  Namespace this token is scoped to. Absent on org-scoped tokens.
- orgId
  Type: string Pattern: ^org_[0-9a-z]{26}$
  
  Organization ID this token can act on. Prefixed lowercase ULID, e.g. org_01jv8m7qfj6xj9gkz7a4s2h8e.
- scopeLevel
  Type: stringenum
  
  Credential class the token authorizes against. namespace tokens act within a single namespace; org tokens act at the organization level and are rejected at any :namespaceKey URL.
  
  values
  namespace
  org
tokenType
enum
const:
Bearer
required
values
- Bearer