Using an Access Token

An access token authorizes requests to Altium 365 API. You include it in every request as a bearer token in the Authorization header.

Access tokens can be obtained in two ways:

• Directly – when you create a long-lived access token in Admin → Developer

• Via exchange – when you use a refresh token to generate a short-lived access token

The authorization pattern is the same regardless of how the token was obtained.

Authorization Header

Authorization: Bearer {access-token}

Example: curl

curl -X POST https://{workspace-domain}/svc/napi/gateway/graphql/ \
  -H "Authorization: Bearer {access-token}" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ desProjects(first: 5) { nodes { id name } } }"}'

Token Expiry

Long-lived access tokens expire after the lifetime you configured at creation (up to 1 year). Once expired, you'll need to create a new token in Admin → Developer.

Short-lived access tokens (obtained via refresh token exchange) expire after a short period. When that happens, exchange your refresh token again to get a new one – see Using a Refresh Token.

An expired token causes API requests to return 401 Unauthorized.

Security

• Do not embed access tokens in client-side code or commit them to source control.

• For long-running, automated integrations, prefer the refresh token approach – short-lived access tokens limit the exposure window if a token is ever compromised.

See Also

• Using an Refresh Token