IAM & Access

Token Exchange

Exchange API keys for short-lived bearer tokens used by secure server-side Infuse API integrations.

API-key credentials can be exchanged for short-lived bearer tokens through the IAM auth endpoint.

Use token exchange when your integration should keep the long-lived API key in secret storage and call downstream APIs with a short-lived token.

Current Infuse IoT token limitation: IAM token exchange does not make an IAM API key work with Infuse IoT APIs. Current Infuse IoT API calls use the legacy organisation-level admin token available from /admin/developer.

Exchange an API Key

POST /iam/auth/token
Content-Type: application/json

{
  "apiKey": "ik_<keyId>.<keySecret>"
}

The response includes:

accessToken
tokenType
expiresAt

Use the returned token as a bearer token until it expires:

Authorization: Bearer <accessToken>

Direct API-Key Auth

Some APIs can accept the API key directly:

Authorization: ApiKey ik_<keyId>.<keySecret>

Direct API-key auth only works when it is enabled for the organisation and supported by the API being called. If direct auth is not enabled, exchange the API key for a bearer token first.

Requirements

The API-key principal must be active, belong to the organisation, and not be expired. The credential must not be revoked or expired.

The principal also needs a role assignment that allows the requested API action.

API Tokens

Create API-key principals and issue credentials for backend integrations.

Rotate and Revoke Credentials

Safely replace or disable API-key and service-account credentials.