# Create a bearer token POST`https://api2.transloadit.com/token` This endpoint exchanges your Auth Key andAuth Secret for a short-lived Bearer token. It mirrors the OAuth 2.0 `client_credentials` flow but is handled directly by the Transloadit API. Tokens are minted server-side via this endpoint using your Auth Key/Secret. If you expose token creation via a UI, call `/token` from your backend (never directly from the browser). Requests must use `application/x-www-form-urlencoded` and HTTP Basic Auth: ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_4oZuCDMSVRc4TpVAXTjjeEKNLFAH) ``` curl --request POST --url 'https://api2.transloadit.com/token' --user 'auth_key:auth_secret' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope=assemblies:read assemblies:write' ``` ## POST fields * Passing `grant_type` is required. Must be `client_credentials`. * Passing `scope` is optional. Optional, space- or comma-separated list of scopes. If omitted, the token inherits all scopes granted to your Auth Key. * Passing `aud` is optional. Optional audience value. Defaults to `api2`. Use the returned token with `Authorization: Bearer ` on API requests. When a request is authenticated with a valid Bearer token, API2 treats Signature Authentication as satisfied and skips signature validation. Signature Authentication is enforced only for key/secret requests. Scope checks still apply. Tokens are valid for six hours (`expires_in` is `21600`). The `aud` value is stored for future audience enforcement. ## Response Here’s an example response body: ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_4oZuCDMSVRc4TpVAXTjjeEKNLFAH) ``` { "access_token": "opaque-token", "token_type": "Bearer", "expires_in": 21600, "scope": "assemblies:read assemblies:write" } ``` On success this request returns a JSON response with the token details. On error it contains an`error` field with the error status code and a `message` describing what went wrong.