Skip to main content
Every call to the SightX API must include a valid access token in the Authorization header. Tokens are obtained by signing a JWT with your RSA private key and exchanging it at the authentication endpoint.

Overview

Access tokens last 12 hours. Your integration should refresh tokens before they expire rather than re-authenticating on every call. The authentication flow has two steps:
  1. Generate a signed JWT using your client ID and RSA private key.
  2. Exchange the JWT for an access token at the m2m-token endpoint.
Flow to obtain an access token

Step 1: Generate a signed JWT

JWT contents

Each JWT has three parts: header, payload, and signature.

Payload

See JWT Data for claim details. For background on reserved claims, see RFC 7519 §4.1.

Signature

See Generate Keys for RSA key pair instructions.

Code examples

These snippets are examples only. Use libraries from jwt.io/libraries and your own key pair in production.

Step 2: Exchange JWT for access token

POST your signed JWT to the authentication endpoint:

Request Access Token

Exchange a signed JWT for a 12-hour access token.
Request body:
Successful response:

Making authenticated requests

Pass the returned token directly in the Authorization header. No Bearer prefix is required.

Security best practices

Treat your private key and client ID with the same care as a production secret. Anyone with access can request API tokens under your account.

Key hygiene

  • Generate a dedicated key pair for API access — do not reuse SSH keys from other systems
  • Store your private key in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
  • Never commit private keys to source control

Token management

  • Track token expiration — tokens are valid for 12 hours
  • Refresh proactively before expiry rather than waiting for 401 responses
  • Use the optional jti claim to differentiate concurrent token requests and avoid duplicate-request lockouts

Projects ownership

When a project is created via the API, its owner is the service account. Add members explicitly via the resources mappings endpoint if others need access.

Next steps

Generate Keys

Create your RSA key pair.

JWT Data

Required claim values and examples.