Access token

All HTTP requests to the API must be authorized with a JWT access token via bearer authentication. The access token must be sent in the Authorization header. Example:

curl -H "Authorization: Bearer <token>"

All API requests must be made over HTTPS. Calls made over plain HTTP will get a 301 response redirecting to their HTTPS equivalent. Calls without a valid authorization token will fail with a 401 error code.‌

Authentication workflow

Start by connecting to the Didomi console. Navigate to the adequate organization and go to Settings/Private API keys. There you will be able to generate a Private API key and a secret.‌

To generate an access token, send an HTTP POST request to with a JSON body containing the following values:






The type of authorization request (in this case, using an API key and secret)


Your API key

Use your Private API key


Your API secret

Use the secret that you received when you generated your Private API key

The /sessions endpoint of the API is used to authenticate yourself and obtain a JSON Web Token that should be used for other API calls. All other API endpoints expect a JWT.‌

For a full reference of the endpoint and the resources that it returns, visit‌

Request example:

curl --request POST --url '' --header 'content-type: application/json' --data '{"type": "api-key", "key": "<Your API key>", "secret": "<Your API secret>"}'

The response will contain an access_token property with the token that you should use for authorizing further requests. If there is a problem authenticating you, a 400 error is returned.‌

Response example:

{    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"}

You can generate as many tokens as you want. Tokens will expire after 1 hour so, if you are running a long-term process, make sure to regenerate a new token regularly.

Last updated