Skip to main content
POST
http://localhost:8001
/
tokens
/
bearer
curl -X POST http://localhost:8001/tokens/bearer \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "app_token_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
    "environment": "production",
    "ttl_days": 90
  }'

{
  "token": "qt_bearer_eyJhbGciOiJFUzI1NiIs...",
  "jti": "8a3b9c4d-e5f6-7890-abcd-1234567890ab",
  "environment": "production",
  "expires_at": "2026-05-30T00:00:00Z"
}
The auth service is deployed on a private network. All endpoints except /health are internal management-plane operations.

Request Body

customer_id
string
required
UUID of the customer.
app_token_hash
string
required
SHA-256 hash of the parent app token. Returned as token_hash when the app token was created.
environment
string
default:"production"
Target environment. Accepted values: development, staging, production.
ttl_days
integer
Time-to-live in days. Defaults to 90.

Response

token
string
The bearer token string, prefixed with qt_bearer_. This is an ES256-signed JWT.
jti
string
Unique token identifier. Used as the bearer_jti parameter when creating agent tokens.
environment
string
The environment the token is scoped to.
expires_at
datetime
ISO 8601 expiration timestamp.
curl -X POST http://localhost:8001/tokens/bearer \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "app_token_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
    "environment": "production",
    "ttl_days": 90
  }'

{
  "token": "qt_bearer_eyJhbGciOiJFUzI1NiIs...",
  "jti": "8a3b9c4d-e5f6-7890-abcd-1234567890ab",
  "environment": "production",
  "expires_at": "2026-05-30T00:00:00Z"
}