> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pr.snh-ai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth Token

> Exchange an API key for a JWT bearer token

Exchange your API key for a short-lived JWT token. Use this token in the `Authorization` header for all protected endpoints.

## Request

<ParamField header="X-API-Key" type="string" required>
  Your API key, provided during [Account Setup](/account-setup). Format: `eval-api-key-<unique-hash>`
</ParamField>

<ParamField header="Content-Type" type="string" required>
  Must be `application/json`
</ParamField>

## Response

<ResponseField name="access_token" type="string" required>
  JWT token to include in the `Authorization: Bearer` header on subsequent requests
</ResponseField>

<ResponseField name="token_type" type="string" required>
  Always `"bearer"`
</ResponseField>

<ResponseField name="expires_in" type="integer" required>
  Token lifetime in seconds. Default: `7200` (2 hours)
</ResponseField>

## Example Request

<CodeGroup>
  ```bash cURL theme={null}
  curl -X POST https://cra.pr.snh-ai.com/auth/token \
    -H "X-API-Key: eval-api-key-YOUR_KEY" \
    -H "Content-Type: application/json"
  ```

  ```python Python theme={null}
  import requests

  resp = requests.post(
      "https://cra.pr.snh-ai.com/auth/token",
      headers={"X-API-Key": "eval-api-key-YOUR_KEY"}
  )
  resp.raise_for_status()
  token = resp.json()["access_token"]
  ```

  ```javascript JavaScript theme={null}
  const resp = await fetch("https://cra.pr.snh-ai.com/auth/token", {
    method: "POST",
    headers: { "X-API-Key": "eval-api-key-YOUR_KEY" }
  });
  const { access_token } = await resp.json();
  ```
</CodeGroup>

## Example Response

```json theme={null}
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 7200
}
```

## Error Responses

### 401 — Missing API Key

```json theme={null}
{
  "detail": "API key is required"
}
```

### 401 — Invalid API Key

```json theme={null}
{
  "detail": "Invalid API key."
}
```

## Notes

* Tokens expire in **2 hours** (7200 seconds). Request a new token before expiry.
* Tokens cannot be refreshed or extended.
* Store tokens securely. Never expose API keys in client-side code.

## Related

* [Authentication](/authentication) — Full authentication guide with best practices
* [Environments](/environments) — Base URLs for staging and production
