Skip to main content
POST
Exchange API key for a JWT token

Authorizations

Authorization
string
header
required

Gateway auth: send Authorization: Bearer <mka1-api-key>. For multi-user server-side integrations, you can also send X-On-Behalf-Of: <external-user-id>.

Headers

X-On-Behalf-Of
string

Optional external end-user identifier forwarded by the API gateway.

Body

application/json
audience
string<uri>
required

JWT audience (aud) claim for the exchanged token. Set this to the target API/service URL that should accept the token.

externalUserId
string
required

Your external user identifier to place in the JWT subject (sub) claim. Must be 1–150 printable-ASCII characters and not the wildcard *.

Required string length: 1 - 150
Pattern: ^[\x20-\x7E]+$
expiresIn
number
default:3600

Token lifetime in seconds. Must be between 300 (5 minutes) and 2592000 (30 days). Defaults to 3600 (1 hour).

Required range: 300 <= x <= 2592000
permissions
string[]

Optional subset of API key permissions to embed in the token. If omitted, all API key permissions are used.

Response

Successfully exchanged API key for a JWT token

token
string
required

Signed JWT exchange token to use when calling downstream services.