Authentication
OAuth2 client credentials — exchange your client ID and secret for a JWT, then present it on every request.
Both APIs use standard OAuth2 JWT bearer tokens, obtained via the client_credentials grant. All communication is over HTTPS.
Get API access
Your client ID, client secret, token issuer URL, and API audience identifier are issued by your Aura Vision account manager. Treat the client secret like a password — never commit it to source control, never expose it in client-side code, and rotate it through your account manager if you suspect it has leaked.
Request a token
POST to your issuer URL with the client_credentials grant. The exact issuer URL and audience identifier are provided with your credentials.
POST /oauth/token HTTP/1.1
Host: <your-issuer>
Content-Type: application/json
{
"client_id": "<your_client_id>",
"client_secret": "<your_client_secret>",
"audience": "<your_api_audience>",
"grant_type": "client_credentials"
}The response contains an access_token (JWT), a token_type of Bearer, and an expires_in (seconds). Cache the token until shortly before expiry — do not request a new one for every API call.
Use the token (Core API)
Present the token on every request to the Core API:
Authorization: Bearer <your_token>
Content-Type: application/jsonUse the token (Metrics API)
Connect to wss://ws.auravision.ai?token=<your_token> — present the token once at WebSocket connection time as a ?token= query parameter. Do not include it on individual messages. The token is validated at connection; if it expires mid-session you’ll need to reconnect with a fresh one.
Token lifetime
Tokens are short-lived (typically minutes to an hour). Build your client to refresh proactively rather than reacting to 401s. A reasonable pattern: refresh when the remaining lifetime drops below 25% of expires_in.