Skip to main content
POST
http://localhost:8001
/
tokens
/
app
curl -X POST http://localhost:8001/tokens/app \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "Production API",
    "scopes": ["*"],
    "ttl_days": 365
  }'

{
  "token": "qt_app_eyJhbGciOiJFUzI1NiIs...",
  "token_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "jti": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "expires_at": "2027-03-01T00:00:00Z"
}
The auth service is deployed on a private network. All endpoints except /health are internal management-plane operations.

Request Body

customer_id
string
required
UUID of the customer to create the token for.
name
string
required
Human-readable name for the app token (e.g., Production API, CI/CD Pipeline).
scopes
string[]
default:"[\"*\"]"
Permission scopes for the token. Defaults to ["*"] (all scopes).
ttl_days
integer
Time-to-live in days. Defaults to the value configured in AUTH_DEFAULT_APP_TTL_DAYS (365).

Response

token
string
The app token string, prefixed with qt_app_. This is the only time the raw token is returned — store it securely.
token_hash
string
SHA-256 hash of the token. Used as the app_token_hash parameter when creating bearer tokens.
jti
string
Unique token identifier (JWT ID).
expires_at
datetime
ISO 8601 expiration timestamp.
curl -X POST http://localhost:8001/tokens/app \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "Production API",
    "scopes": ["*"],
    "ttl_days": 365
  }'

{
  "token": "qt_app_eyJhbGciOiJFUzI1NiIs...",
  "token_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "jti": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "expires_at": "2027-03-01T00:00:00Z"
}