Authentication

Application tokens

Application tokens are the recommended way to authenticate with the emnify REST API for machine-to-machine (M2M) communications. Unlike user credentials, application tokens don’t require storing passwords on your servers or dealing with multi-factor authentication (MFA).

Key benefits:

  • Create multiple tokens for different applications or environments
  • Restrict tokens to specific IP address ranges
  • Set expiration dates for automatic revocation
  • Revoke individual tokens at any time without affecting others

Security best practices:

  • Always set an expiration date for production tokens
  • Use IP restrictions when your server has a static IP
  • Store tokens in environment variables, never in source code
  • Rotate tokens periodically and revoke unused tokens

Application tokens are scoped to the Workspace where they were created. For operations that require access to multiple Workspaces (such as Workspace switching or cross-Workspace SIM transfers), you must authenticate with user credentials.

Create an application token

To create an application_token, send a POST request to /api/v1/application_token.

POST
/api/v1/application_token
1curl -X POST https://cdn.emnify.net/api/v1/application_token \
2     -H "Authorization: Bearer <token>" \
3     -H "Content-Type: application/json" \
4     -d '{
5  "description": "Token with expiry date",
6  "expiry_date": "2021-05-29T00:00:00.000Z"
7}'
Try it
Response
1{
2  "application_token": "KAOp24TuMgjO2FpZmZ3ZFjSqpk7ea_mY8H2daMlMXF-lRbmMzLeQwSEX67-NFczI3GgHcHpCKTfAw"
3}

You can revoke the application token at any time.

You can also create and view application tokens in the emnify Portal. For step-by-step instructions, see Application tokens.

Authenticate with an application token

Once you create an application token, use /api/v1/authenticate to generate a JWT auth_token that authenticates subsequent API calls.

POST
/api/v1/authenticate
1curl -X POST https://cdn.emnify.net/api/v1/authenticate \
2     -H "Content-Type: application/json" \
3     -d '{
4  "application_token": "5cCI6IkpXVCJ9.."
5}'
Try it
Response
1{
2  "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
3}

The server returns only an auth_token. The response doesn’t include a refresh_token.

Handle token expiration

When an application token expires or is revoked:

  • Any auth_token generated from it remains valid until its own expiration
  • New authentication attempts with the expired application token fail with a 401 Unauthorized error
  • You need to create a new application token and update your application configuration

To avoid service interruptions:

  1. Set up monitoring for authentication failures
  2. Create a new application token before the current one expires
  3. Update your application to use the new token
  4. Revoke the old token after the transition is complete

Use an SDK

If you prefer to use an SDK instead of direct API calls: