Create an authentication token


To keep your app secure, long-lived authentication tokens in production are only for server-side requests. Client-side requests in production must use session tokens.


OAuth tokens expire after 10 hours by default, but can be configured to expire after up to 30 days. There can be up to 1000 active authentication tokens for a Client ID and Client Secret pair at any given time. To manage the number of active authentication tokens, use the /o/revoke_token/ endpoint to revoke a single token, or /o/bulk_revoke/ to revoke in bulk.

Check out the Forage authentication guide for more details on authentication tokens.

A POST request to /o/token/ creates a new authentication token. The token is returned as the access_token value in the response body.

An authentication token is a long-lived OAuth 2.0 bearer token that validates requests from your backend to Forage. Pass an authentication token in the Authorization header of server-side requests to handle sensitive tasks like creating an order or capturing a payment.

You need your app’s Client ID and Client Secret from the Forage dashboard (sandbox, production) to generate an authentication token. If you don’t yet have dashboard access, then please get in touch.