Skip to main content
Version: 2025-05-27

Authentication

The Cint Exchange uses OAuth and JWT (JSON Web Tokens) for request authentication. Compared to static API keys, JWTs offer extensive scoping and expiry options, increasing security for all users of the Cint Exchange.

JWTs are secure, compact tokens designed to assert claims between two parties and are typically encoded and encrypted. They facilitate the secure transmission of information using a verifiable, trusted JSON object.

Every API request to the Cint Exchange requires a JWT bearer token.

Your first call: Requesting a JWT

At the start of a session or when your key expires, you'll need to make an API call to the get token endpoint.

Use the https://auth.cint.com/oauth/token endpoint to request your token. The request body must include your client_id and client_secret as well as grant type parameters.

Requesting JWT Image

Example request to the OAuth token endpoint:

curl -X "POST" "https://auth.cint.com/oauth/token" \
   -H 'Content-Type: application/json' \
   -d '{
   "client_id": "<YOUR_CLIENT_ID>",
   "client_secret": "<YOUR_CLIENT_SECRET>",
   "grant_type": "client_credentials",
   "auth_scopes": "app:api",
   "audience": "https://api.luc.id"
}'

Example success response

{
 "access_token": "eyJhbGciOiJSUzI1NiIsInR5c...",
 "expires_in": 86400,
 "token_type": "Bearer"
}

Token expiration

In the Cint Exchange, all JWTs are valid for 86,400 seconds (24 hours) after they're created. You'll need to request a new token before the current one expires to maintain access.

If you attempt to use an expired token, you'll receive a 403 Forbidden error.

Example error response if your token has expired

{
  "id": "fe68cdd2-ee87-4dbf-8950-63c5cbca94c7",
  "object": "authorization_error",
  "detail": "you don't have the right permissions to perform this operation"
}

The OAuth flow: Required OAuth parameters

Use the following parameters in your OAuth2 request flow. We recommend using a caching OAuth solution for your integration.

ParameterValueDescription
client_id<YOUR_CLIENT_ID>Your unique client identifier, provided by your integration consultant.
client_secret<YOUR_CLIENT_SECRET>Your unique client secret, provided by your integration consultant.
audiencehttps://api.luc.idThe unique identifier for the API you're requesting access to.
auth_scopesapp:apiDefines the permission scope for the token. This must always be set to "app:api".
grant_typeclient_credentialsSpecifies the OAuth 2.0 grant type required for this flow.

Making API calls with a JWT

Once you've obtained a JWT, you must include it as a header argument in the format "Authorization": "Bearer <YOUR_JWT>".

For example, here’s how you'd make a request to the /accounts endpoint:

Example API call using a JWT:

curl -X GET "https://api.cint.com/v1/accounts" \
  -H "Authorization: Bearer <YOUR_JWT>"
Making API Calls JWT Image

If your client_id or client_secret are incorrect, you'll receive a 401 Unauthorized error.

Example error response for invalid credentials:

{
  "error": "access_denied",
  "error_description": "Unauthorized"
}

Renewing your JWT authorization

As you approach expiry, request a new JWT using the same steps used to generate the original JWT, then begin using it on new requests. Currently, JWTs can overlap, and multiple JWTs can be used simultaneously.