> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fluidehr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange API key for access token

> Exchanges a developer API key and secret for a short-lived machine JWT. Send credentials via `X-Fluide-Api-Key`, `X-Fluide-Api-Secret`, and `X-Fluide-Client-Id: fluide-developer` headers. Use the secret only on this route — never on product APIs. See [Authorization](/getting-started/authorization).



## OpenAPI

````yaml /openapi/fluide-utils.json post /api/v1/authorize/token
openapi: 3.0.0
info:
  title: Fluide Utils API
  description: >-
    Shared platform utilities: notifications, file storage, document generation
    (PDFs, spreadsheets), and document jobs used across the suite. In the API
    playground, click Authorize and provide Bearer JWT, X-Fluide-Api-Key, and
    X-Fluide-Client-Id (fluide-developer). For partner / ISV integrations acting
    on a merchant, also set optional X-Workspace-Id and X-Acting-Company-Id on
    each request (see Multi-tenancy).
  version: '1.0'
  contact: {}
servers:
  - url: https://test.api.fluidehr.com
    description: API
security:
  - bearer: []
    fluideApiKey: []
    fluideClientId: []
tags:
  - name: App
    description: Service root and build metadata. Use for quick connectivity checks.
    x-group: Operations
  - name: Prometheus
    description: >-
      Prometheus scrape endpoint in text exposition format. Configure your
      metrics collector to poll this path on each service.
    x-group: Operations
  - name: Notifications
    description: In-app and multi-channel notifications for suite products.
  - name: File Management
    description: Upload, download, and manage files scoped to your organization.
  - name: Internal Files
  - name: Documents
    description: >-
      Generate payslips, invoices, financial reports, and other PDF or
      spreadsheet artifacts.
  - name: Public artifacts
  - name: Internal Documents
  - name: Internal Artifacts
  - name: Document jobs
  - name: Document management
  - name: Authorize
    description: >-
      Exchange API key and secret for a machine JWT, read developer metadata,
      rotate secrets, and manage API billing.
paths:
  /api/v1/authorize/token:
    post:
      tags:
        - Authorize
      summary: Exchange API key for access token
      description: >-
        Exchanges a developer API key and secret for a short-lived machine JWT.
        Send credentials via `X-Fluide-Api-Key`, `X-Fluide-Api-Secret`, and
        `X-Fluide-Client-Id: fluide-developer` headers. Use the secret only on
        this route — never on product APIs. See
        [Authorization](/getting-started/authorization).
      operationId: AuthorizeController_token_v1
      parameters:
        - name: X-Fluide-Api-Key
          in: header
          required: true
          schema:
            type: string
          description: Developer API key (`fl_dev_...`).
        - name: X-Fluide-Api-Secret
          in: header
          required: true
          schema:
            type: string
          description: API secret — use only on this route, never on product APIs.
        - name: X-Fluide-Client-Id
          in: header
          required: true
          schema:
            type: string
            default: fluide-developer
          description: Must be `fluide-developer` for Connect integrations.
        - name: X-Workspace-Id
          in: header
          required: false
          description: >-
            Partner / ISV only: UUID of the workspace that owns the client
            company. Required together with X-Acting-Company-Id when scoping
            product APIs to a merchant. See /getting-started/multi-tenancy.
          schema:
            type: string
            format: uuid
          example: b03fa178-67bd-4378-a5aa-d169c01ccb6f
        - name: X-Acting-Company-Id
          in: header
          required: false
          description: >-
            Partner / ISV only: UUID of the client company to act on. Must
            belong to the workspace in X-Workspace-Id.
          schema:
            type: string
            format: uuid
          example: ab2df10a-c66c-4bef-b7d6-efda26cca494
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                apiKey:
                  type: string
                  description: Optional if sent via header.
                apiSecret:
                  type: string
                  description: Optional if sent via header.
                organizationId:
                  type: string
                  format: uuid
                  description: Optional active organization override for the issued token.
      responses:
        '201':
          description: Access token issued
          content:
            application/json:
              schema:
                allOf:
                  - $ref: '#/components/schemas/ApiResponseDto'
                  - properties:
                      data:
                        type: object
                        properties:
                          accessToken:
                            type: string
                            description: RS256 JWT.
                          jti:
                            type: string
                          tenantId:
                            type: string
                            format: uuid
                          fluideClientId:
                            type: string
                            example: fluide-developer
                          exp:
                            type: integer
                            description: Expiry (Unix seconds).
                          iat:
                            type: integer
                          authContextPath:
                            type: string
                            example: /api/v1/auth-context/{jti}
        '400':
          description: Validation failed or invalid request parameters
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorResponseDto'
        '401':
          description: Invalid API key or secret
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorResponseDto'
        '403':
          description: Developer account not eligible for token exchange
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorResponseDto'
      security:
        - fluideApiKey: []
          fluideApiSecret: []
          fluideClientId: []
      x-codeSamples:
        - lang: bash
          label: cURL
          source: |-
            curl -sS -X POST "$FLUIDE_BASE_URL/api/v1/authorize/token" \
              -H "X-Fluide-Api-Key: $FLUIDE_API_KEY" \
              -H "X-Fluide-Api-Secret: $FLUIDE_API_SECRET" \
              -H "X-Fluide-Client-Id: fluide-developer" \
              -H "X-Workspace-Id: $FLUIDE_WORKSPACE_ID" \
              -H "X-Acting-Company-Id: $FLUIDE_COMPANY_ID" \
              -H "Content-Type: application/json" \
              -d '{}'
        - lang: node
          label: Node.js
          source: >-
            const baseUrl = process.env.FLUIDE_BASE_URL;


            const response = await fetch(`${baseUrl}/api/v1/authorize/token`, {
              method: 'POST',
              headers: {
                'X-Fluide-Api-Key': process.env.FLUIDE_API_KEY,
                'X-Fluide-Api-Secret': process.env.FLUIDE_API_SECRET,
                'X-Fluide-Client-Id': 'fluide-developer',
                'X-Workspace-Id': process.env.FLUIDE_WORKSPACE_ID,
                'X-Acting-Company-Id': process.env.FLUIDE_COMPANY_ID,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({}),
            });


            if (!response.ok) throw new Error(`HTTP ${response.status}: ${await
            response.text()}`);

            console.log(await response.json());
        - lang: python
          label: Python
          source: |-
            import os
            import requests

            base_url = os.environ["FLUIDE_BASE_URL"]
            headers = {
                    "X-Fluide-Api-Key": os.environ["FLUIDE_API_KEY"],
                    "X-Fluide-Api-Secret": os.environ["FLUIDE_API_SECRET"],
                    "X-Fluide-Client-Id": "fluide-developer",
                    "X-Workspace-Id": os.environ["FLUIDE_WORKSPACE_ID"],
                    "X-Acting-Company-Id": os.environ["FLUIDE_COMPANY_ID"],
            }

            response = requests.post(
                f"{base_url}/api/v1/authorize/token",
                headers=headers,
                json={},
                timeout=30,
            )
            response.raise_for_status()
            print(response.json())
        - lang: java
          label: Java
          source: >-
            import java.net.URI;

            import java.net.http.HttpClient;

            import java.net.http.HttpRequest;

            import java.net.http.HttpResponse;


            String baseUrl = System.getenv("FLUIDE_BASE_URL");

            HttpClient client = HttpClient.newHttpClient();

            HttpRequest.Builder builder = HttpRequest.newBuilder()
                .uri(URI.create(baseUrl + "/api/v1/authorize/token"))
                .header("X-Fluide-Api-Key", System.getenv("FLUIDE_API_KEY"))
                .header("X-Fluide-Api-Secret", System.getenv("FLUIDE_API_SECRET"))
                .header("X-Fluide-Client-Id", "fluide-developer")
                .header("X-Workspace-Id", System.getenv("FLUIDE_WORKSPACE_ID"))
                .header("X-Acting-Company-Id", System.getenv("FLUIDE_COMPANY_ID"))
                .header("Content-Type", "application/json")
                .POST(HttpRequest.BodyPublishers.ofString("{}"))
                .build();
            HttpResponse<String> response = client.send(builder.build(),
            HttpResponse.BodyHandlers.ofString());

            if (response.statusCode() >= 400) throw new RuntimeException("HTTP "
            + response.statusCode() + ": " + response.body());

            System.out.println(response.body());
        - lang: php
          label: PHP
          source: >-
            <?php

            $baseUrl = getenv("FLUIDE_BASE_URL");

            $ch = curl_init($baseUrl . "/api/v1/authorize/token");

            curl_setopt_array($ch, [
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_CUSTOMREQUEST => 'POST',
                CURLOPT_HTTPHEADER => [
                    'X-Fluide-Api-Key: ' . getenv('FLUIDE_API_KEY'),
                    'X-Fluide-Api-Secret: ' . getenv('FLUIDE_API_SECRET'),
                    'X-Fluide-Client-Id: fluide-developer',
                    'X-Workspace-Id: ' . getenv('FLUIDE_WORKSPACE_ID'),
                    'X-Acting-Company-Id: ' . getenv('FLUIDE_COMPANY_ID'),
                    'Content-Type: application/json',
                ],
                CURLOPT_POSTFIELDS => "{}",
            ]);

            $response = curl_exec($ch);

            if ($response === false) throw new
            RuntimeException(curl_error($ch));

            $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);

            if ($status >= 400) throw new RuntimeException("HTTP $status:
            $response");

            echo $response;
components:
  schemas:
    ApiResponseDto:
      type: object
      properties:
        success:
          type: boolean
          example: true
          description: Whether the request succeeded
        message:
          type: string
          example: Operation completed successfully
          description: Human-readable outcome message (localized when i18n is configured)
        data:
          type: object
          description: Response payload when success is true
      required:
        - success
        - message
    ApiErrorResponseDto:
      type: object
      properties:
        success:
          type: boolean
          example: false
        message:
          type: string
          example: Validation failed
          description: Human-readable error message (localized when i18n is configured)
        code:
          type: string
          example: VALIDATION_FAILED
          description: Stable machine-readable error code for client handling and support
        errors:
          type: object
          description: Field-level validation errors keyed by property name
          example:
            from:
              - from must be a valid date
        statusCode:
          type: number
          example: 400
        timestamp:
          type: string
          example: '2026-06-03T12:00:00.000Z'
      required:
        - success
        - message
        - code
        - statusCode
        - timestamp
  securitySchemes:
    bearer:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Access token JWT. Use as Authorization: Bearer <token>. In the API
        playground, paste the JWT only.
    fluideApiKey:
      type: apiKey
      in: header
      name: X-Fluide-Api-Key
      description: >-
        Developer API key (fl_dev_...). Required on every API call with a
        machine access token.
      x-default: fl_dev_your_key
    fluideClientId:
      type: apiKey
      in: header
      name: X-Fluide-Client-Id
      description: >-
        First-party client audience. Must match the fluide_client_id claim on
        the JWT. Use fluide-developer for Connect.
      x-default: fluide-developer
    fluideApiSecret:
      type: apiKey
      in: header
      name: X-Fluide-Api-Secret
      description: >-
        API secret used only during token exchange. Never send on product
        routes.

````