Use this endpoint from your backend to exchange a Base64-encoded HMAC SHA256 signature for a JWT access token. You generate the signature on your side using your Client ID as the message and your Client Secret as the key, then send it in the x-marmin-signature header along with your Client ID. The response returns a token and an expires_at timestamp. Use the token as a Bearer token in the Authorization header for all subsequent Marmin API calls until it expires.

Do's and don'ts

Do's

• Call the token endpoint only from your backend (server or serverless). Never call it from the browser or a mobile app.

• Send a fresh HMAC signature with each token request. Generate the signature immediately before calling /auth/token.

• Use the token only in the Authorization header as a Bearer token. Do not send it in query params or request body.

• Check the expires_at value and request a new token before the current one expires to avoid 401 errors.

• Reuse the same token for multiple API calls until it expires; you do not need a new token per request.

Don'ts

• Do not call /auth/token from frontend or mobile code—your Client Secret would be exposed.

• Do not cache or reuse an old signature; generate a new one for each token request.

• Do not log the token, signature, or Client Secret or expose them in URLs or client-side code.

• Do not send the token in query parameters or in any header other than Authorization.

• Do not ignore 401 responses—treat them as a signal to obtain a new token and retry.