Skip to main content
POST
/
api
/
v1
/
auth
/
token
Exchange agent credentials + platform_id for a short-lived JWT
curl --request POST \
  --url https://api.mudraid.ai/api/v1/auth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "api_key_id": "muid_kid_a3f8e9c1d2b4f5e6a7b8c9d0e1f2a3b4",
  "secret": "muid_sk_xY9kL2pQ4rT6vN8mZ1cX3bV5nL7kJ9hG",
  "platform_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "scopes": [],
  "profile": "mudraid-native-jwt"
}
'
{
  "access_token": "<string>",
  "token_type": "Bearer",
  "expires_in": 900
}

Body

application/json
api_key_id
string
required

Public agent identifier (41 chars, muid_kid_ + 32 hex).

Example:

"muid_kid_a3f8e9c1d2b4f5e6a7b8c9d0e1f2a3b4"

secret
string
required

Agent secret, set at registration / rotation. Never logged.

Example:

"muid_sk_xY9kL2pQ4rT6vN8mZ1cX3bV5nL7kJ9hG"

platform_id
string<uuid>
required

Target platform's UUID.

scopes
string[]

Requested scope subset. Empty array expands to the agent's full permitted set for this platform. All requested scopes must be a subset of what the agent is permitted on this platform.

profile
enum<string>
default:mudraid-native-jwt

Token profile to mint (Phase 1a). Only mudraid-native-jwt exists today; unknown values are rejected with 422. The issued JWT carries the chosen profile as the private claim mudraid_token_profile. The oauth-at-jwt profile is added in Phase 1b.

Available options:
mudraid-native-jwt

Response

JWT issued

access_token
string
required

RS256 JWT. See JwtClaims for the payload shape.

token_type
enum<string>
required
Available options:
Bearer
expires_in
integer
default:900
required

Lifetime in seconds (15 minutes).