# Authentication

OAuth2 Client Credentials authentication and API key management.

Each `client_id` / `client_secret` pair represents an access credential.
Exchange the credentials for a JWT token via `POST /auth/token` and send the token
as Bearer in all requests. The token expires in 1 hour.

You can create multiple credentials for different environments and revoke them
individually.


## Exchange credentials for an access token

 - [POST /auth/token](https://dinie.redocly.app/apis/openapi/authentication/createtoken.md): Authenticates the partner using the OAuth2 Client Credentials flow. Send client_id
and client_secret in the Authorization header (Basic Auth) to receive a JWT token.
The token expires in 1 hour and must be sent as a Bearer token in all other requests.
The SDKs handle token retrieval and renewal automatically.

## Create a new API key

 - [POST /auth/credentials](https://dinie.redocly.app/apis/openapi/authentication/createcredential.md): Creates a new credential pair (client_id + client_secret) for the partner.
The client_secret is displayed only once in the response — store it securely.
Use multiple credentials to separate environments (production, staging, development)
or distinct internal systems.

## List API keys

 - [GET /auth/credentials](https://dinie.redocly.app/apis/openapi/authentication/listcredentials.md): Returns all API keys for the authenticated partner, including name, creation date,
and status (active or revoked). For security, the client_secret is not returned in this
listing — it is displayed only at creation time via POST /auth/credentials.

## Revoke an API key

 - [DELETE /auth/credentials/{client_id}](https://dinie.redocly.app/apis/openapi/authentication/revokecredential.md): Revokes an API key immediately and irreversibly. After revocation,
no new tokens can be issued with this credential. Tokens already issued
before revocation remain valid until they expire (maximum 1 hour).
Use this endpoint when decommissioning an environment or in case of credential leakage.