> ## Documentation Index
> Fetch the complete documentation index at: https://docs.paylead.fr/llms.txt
> Use this file to discover all available pages before exploring further.

# Issue an access token

> Exchange API key credentials for a short-lived ES256 JWT access token. Authenticate with HTTP Basic: the username is the API key's `client_id` (a UUID) and the password is its `client_secret`. Send the returned `access_token` as `Authorization: Bearer <token>` on every subsequent Platform API call.



## OpenAPI

````yaml /program/api/openapi/2.0.0/authz/openapi.json post /tokens
openapi: 3.1.0
info:
  description: |
    Paylead Program API.
    You can find complete documentation in https://docs.paylead.com/
  license:
    name: Proprietary
    url: https://docs.paylead.com/
  title: Authentication
  version: 2.0.0
servers:
  - description: Sandbox
    url: https://api-{programRef}.sandbox.paylead.tech
    variables:
      programRef:
        default: changeme
        description: Program reference provided by Paylead
security:
  - oauth2: []
tags:
  - description: Issue ES256 JWTs for API keys
    name: Tokens
    x-displayName: Tokens
paths:
  /tokens:
    post:
      tags:
        - Tokens
      summary: Issue an access token
      description: >-
        Exchange API key credentials for a short-lived ES256 JWT access token.
        Authenticate with HTTP Basic: the username is the API key's `client_id`
        (a UUID) and the password is its `client_secret`. Send the returned
        `access_token` as `Authorization: Bearer <token>` on every subsequent
        Platform API call.
      operationId: issue
      parameters:
        - description: >-
            Selects the partner API version to use, in semver form `x.y.z` (e.g.
            `2.0.0`). Optional; the service default version is used when
            omitted.
          example: 2.0.0
          in: header
          name: x-api-version
          required: false
          schema:
            type:
              - string
              - 'null'
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Authz_TokenResponse'
          description: Access token issued.
        '401':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
          description: Missing or invalid Basic credentials.
        '404':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
          description: Client not found or secret mismatch.
      security:
        - basic_auth: []
components:
  schemas:
    Authz_TokenResponse:
      properties:
        access_token:
          description: Signed ES256 JWT.
          type: string
        expires_in:
          description: Lifetime of the token in seconds.
          format: int64
          type: integer
        token_type:
          description: Always `Bearer`.
          type: string
      required:
        - access_token
        - token_type
        - expires_in
      type: object
    ErrorResponse:
      additionalProperties: false
      description: >-
        An error response object (PayLead profile).


        Extension members (e.g. ``errors`` for validation) are allowed and
        serialised as

        top-level keys.
      properties:
        code:
          title: Code
          type: string
        errors:
          anyOf:
            - items:
                additionalProperties: true
                type: object
              type: array
            - type: 'null'
          default: null
          title: Errors
        instance:
          anyOf:
            - type: string
            - type: 'null'
          default: null
          title: Instance
        status:
          title: Status
          type: integer
        title:
          title: Title
          type: string
      required:
        - code
        - title
        - status
      title: ErrorResponse
      type: object
  securitySchemes:
    oauth2:
      flows:
        clientCredentials:
          scopes:
            ALL: Full access to all resources (wildcard).
            LOYALTIES: Access to loyalties features.
            PERKS: Access to perks features.
            TX_INJECTION: Access to transaction sharing.
          tokenUrl: /tokens
      type: oauth2
    basic_auth:
      scheme: basic
      type: http

````