Skip to main content
POST
/
api
/
v2
/
public
/
session-token
curl -X POST "https://app.refold.ai/api/v2/public/session-token" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "linked_account_id": "YOUR_LINKED_ACCOUNT_ID" }'
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsaW5rZWRfYWNjb3VudF9pZCI6InVzZXJfMTIzNDUifQ.SIGNATURE",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc19yZWZyZXNoIjp0cnVlfQ.SIGNATURE",
  "expires_in": 599747,
  "refresh_expires_in": 2586947
}
Issue a JWT session token (and refresh token) for a linked account. Session tokens authenticate hosted and Connect frontends that should never hold your API key — the token itself encodes the org, linked account, and environment. By default an existing valid token is reused; pass force_refresh=true to always mint a new one. Token TTL is determined by service configuration.

Authentication

x-api-key
string
required
Your Refold API key. Find it in Settings → Credentials.

Query Parameters

force_refresh
boolean
default:"false"
When true, always issues a new token instead of reusing an existing valid one.

Body Parameters

linked_account_id
string
required
The linked account to issue the token for.Example: user_12345

Response

token
string
The session token (JWT). Send as Authorization: Bearer <token>.
refresh_token
string
Token used to obtain a new session token after expiry.
expires_in
integer
Seconds until the session token expires.
refresh_expires_in
integer
Seconds until the refresh token expires.
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsaW5rZWRfYWNjb3VudF9pZCI6InVzZXJfMTIzNDUifQ.SIGNATURE",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc19yZWZyZXNoIjp0cnVlfQ.SIGNATURE",
  "expires_in": 599747,
  "refresh_expires_in": 2586947
}
curl -X POST "https://app.refold.ai/api/v2/public/session-token" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "linked_account_id": "YOUR_LINKED_ACCOUNT_ID" }'