Bearer tokens in the Authorization header.
Bearer Token
Include the access token on every protected request:Obtaining Tokens
Tokens are issued by the auth endpoints. Depending on your auth setup:| Method | Endpoint |
|---|---|
| Email + password sign-up | POST /auth/sign-up |
| Email + password sign-in | POST /auth/sign-in |
| External user (JWT-verified) | POST /auth/verify-external-user |
| OAuth (Google, GitHub, etc.) | POST /oauth/authorize |
Refreshing Tokens
When an access token expires, use the refresh token to obtain a new access token:accessToken and a rotated refreshToken. Always store and use the latest refresh token — reusing a revoked one will invalidate the entire session. Each rotated refresh token is valid for another 30 days, so active users stay signed in indefinitely. Only if a refresh token goes unused for 30 days will it expire and require the user to sign in again.
See Request New Access Token for full details.
SDK Token Management
If you are using the Replyke SDK (@replyke/react-js, @replyke/react-native, etc.), you do not need to manage tokens manually. The SDK stores tokens, attaches them to every request, and automatically refreshes them before they expire.
Token management is only relevant when calling the REST API directly — for example, from a server-side environment using the Node SDK or a custom HTTP client.
Unauthenticated Requests
Some endpoints are publicly accessible without a token (e.g., fetching public entity data). These endpoints do not require anAuthorization header. Endpoints that require auth will return 401 Unauthorized if the token is missing or expired.