Skip to main content
POST
/
v1
/
keys.mint
Typescript (SDK)
import { Autumn } from 'autumn-js'

const autumn = new Autumn()

const result = await autumn.keys.mint({
  customerId: "cus_123",
});
{
  "access_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "expires_at": 1781113864000,
  "refresh_expires_at": 1781196664000
}
Mints a per-customer token — a scoped am_jwt_ credential — so a self-hosted or downstream app can call Autumn directly without your secret key. Authenticated with your secret key. Returns a short-lived access token (1h) and a rotating refresh token (24h), both bound to a single customer.

How it works

  1. Your backend calls keys.mint with your secret key to issue a token pair for a customer.
  2. Hand the access token to that customer’s app. It can call check, track, customers.get and entities.get — always scoped to that customer, even if a different customer_id is sent.
  3. Before the access token expires, the app calls keys.refresh with its refresh token to rotate a fresh pair — no secret key required.
const { accessToken, refreshToken } = await autumn.keys.mint({
  customerId: "cus_123",
});

Body Parameters

Response

{
  "access_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "refresh_token": "am_jwt_eyJhbGciOiJIUzI1NiJ9...",
  "expires_at": 1781113864000,
  "refresh_expires_at": 1781196664000
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Headers

x-api-version
string
default:2.3.0
required

Body

application/json
customer_id
string
required

The customer to mint a token for.

indefinite
boolean

If true, mint a non-expiring access token (no refresh token). Revoke via keys.revoke.

Response

200 - application/json

OK

access_token
string
required

Access token (1h, or non-expiring if indefinite), prefixed am_jwt_.

expires_at
number | null
required

Access-token expiry, ms since epoch. null for indefinite tokens.

refresh_token
string

Rotating refresh token (24h). Omitted for indefinite tokens.

refresh_expires_at
number

Refresh-token expiry, ms since epoch. Omitted for indefinite tokens.