Home API How to obtain an access token

How to obtain an access token

Last updated on Mar 28, 2026

An access token is required to authorise subsequent API requests in LMS Smart Way. After obtaining the token, you pass it in the Authorization header with the Bearer type and use it to call the available endpoints in accordance with the scopes embedded in the token.

This article shows how to obtain a token, what exactly the API returns in the response, and what to pay attention to before integration. If you are just starting the integration setup, first ensure that you have a valid company_api_key.

Prerequisites

  • You must have a valid company_api_key for your company.

  • The token request must be sent to the /api/v1/auth/token endpoint.

  • The API key is passed in the X-API-Key header.

  • The obtained access token is used only for subsequent API calls and does not replace the API key.

Request

curl -X POST 'https://smartway.pro/api/v1/auth/token' \
  -H 'X-API-Key: <company_api_key>'

Successful response

{
  "access_token": "<short_lived_jwt>",
  "token_type": "Bearer",
  "expires_in": 900,
  "scope": "academy.read academy.write employees.read employees.write tests.read tests.write files.read"
}

Response rules

  • access_token — short-lived JWT for subsequent public API calls

  • token_type — always Bearer

  • expires_in — TTL in seconds

  • scope — list of scopes separated by spaces embedded in the token

What is inside the access token

  • The JWT contains the companyId claim for tenant isolation.

  • The JWT also contains the hrEmail claim — the email of the HRADMIN who created or rotated the company’s current active API key.

  • If another HRADMIN generates or rotates the API key, newly issued tokens will contain a different hrEmail, which will be used for subsequent employee write operations.

How to use the access token in subsequent requests

After successfully obtaining the token, pass it in the Authorization header in the format Bearer <access_token>. This token is used to authorise subsequent requests to the public API.

Before making a request, check that the token has not expired. If it has expired, obtain a new access token by calling the authorisation endpoint again.