POST
/v1/client_tokensClient Tokens
Mint a short-lived (60s) browser-safe token scoped to a single Customer + origin + IP.
Request
- HTTP
- POST
- URL
- /v1/client_tokens
- Auth
- api_key
Try it
curl https://api.fightclub.pro/v1/client_tokens \
-H "Authorization: Bearer $FC_API_KEY" \
-d '{"customer":"cust_42","origin":"https://app.example.com"}'Parameters
| Name | Type | Description |
|---|---|---|
| customer* | string | FC Customer ID this token is scoped to. |
| origin* | string | Allowed Origin header (e.g. https://app.example.com). |
| allowed_endpoints | string[] | Restrict to specific endpoints. |
Response fields
| Name | Type | Description |
|---|---|---|
| token | string | JWT (60s expiry). Send as Authorization: Bearer. |
| expires_at | integer | Unix timestamp. |
Errors
- 401
invalid_api_key, Missing or revoked key. - 404
customer_not_found, No such customer.
See the full error reference.