Create a bearer token

POSThttps://api2.transloadit.com/token

This endpoint exchanges your Auth Key and Auth Secret for a short-lived Bearer token. It mirrors the OAuth 2.0 client_credentials flow but is handled directly by the Transloadit API.

Tokens are minted server-side via this endpoint using your Auth Key/Secret. If you expose token creation via a UI, call /token from your backend (never directly from the browser).

Requests must use application/x-www-form-urlencoded and HTTP Basic Auth:

curl --request POST --url 'https://api2.transloadit.com/token' --user 'auth_key:auth_secret' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope=assemblies:read assemblies:write'

POST fields

Passing grant_type is required. Must be client_credentials.
Passing scope is optional. Optional, space- or comma-separated list of scopes. If omitted, the token inherits all scopes granted to your Auth Key.
Passing aud is optional. Optional audience value. Defaults to api2.

Use the returned token with Authorization: Bearer <access_token> on API requests. When a request is authenticated with a valid Bearer token, API2 treats Signature Authentication as satisfied and skips signature validation. Signature Authentication is enforced only for key/secret requests. Scope checks still apply. Tokens are valid for six hours (expires_in is 21600). The aud value is stored for future audience enforcement.

Response

Here’s an example response body:

{
  "access_token": "opaque-token",
  "token_type": "Bearer",
  "expires_in": 21600,
  "scope": "assemblies:read assemblies:write"
}

On success this request returns a JSON response with the token details. On error it contains an error field with the error status code and a message describing what went wrong.