For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Request featuresContact support
DocsAPI ReferenceGraphQLIntegrationsDeveloper Tools
DocsAPI ReferenceGraphQLIntegrationsDeveloper Tools
    • Getting started
  • Authentication
    • Application tokens
    • User credentials
    • Multi-factor authentication
    • JWTs
  • Work with the API
    • Conventions
    • Rate limits
    • Collections and pagination
    • Concatenated SMS
    • User management
    • Error handling
  • Connectivity
    • Register SIMs
    • Create endpoints
    • Manage devices
    • Configure DNS settings
    • Factory test mode
    • SMS operations
    • Advanced eSIM
  • Callbacks
    • API
    • SMS
  • Examples
    • Endpoint toggle (JS)
    • Device status (JS)
    • curl
  • Reference
    • Data Streamer
    • Events
    • IMSI
    • SIM
    • Endpoint
    • Service profile
    • Organization
    • Tariff plan
    • Tariff profile
LogoLogo
Request featuresContact support
On this page
  • Use the auth token
  • JWT structure
  • Decode and inspect tokens
  • Handle expired tokens
Authentication

JWTs

Was this page helpful?

Last updated March 17, 2026

Previous

Multi-factor authentication

Next

Conventions

Built with

JSON Web Tokens (JWTs) are signed JSON objects that authenticate your API requests. After you authenticate with application tokens (or, temporarily, user credentials for specific cross-Workspace APIs), the API returns a JWT called auth_token.

Use the auth token

Include the auth_token in the Authorization header of every API request using the Bearer scheme:

1Authorization: Bearer YOUR_AUTH_TOKEN

The following example shows how to include the auth_token when creating a new user:

POST
/api/v1/user
1curl -X POST https://cdn.emnify.net/api/v1/user \
2     -H "Authorization: Bearer <token>" \
3     -H "Content-Type: application/json" \
4     -d '{
5  "username": "eabbot@flatland.org",
6  "name": "Edwin Abbott",
7  "organisation": {
8    "id": 123
9  },
10  "roles": [
11    {
12      "id": 1
13    },
14    {
15      "id": 2
16    }
17  ]
18}'
Try it

Don’t confuse auth_token with application_token. Application tokens are long-lived credentials you use to obtain an auth token. The auth token is what you include in API request headers.

JWT structure

A JWT consists of three parts separated by dots: header.payload.signature

PartDescription
HeaderContains the token type (JWT) and signing algorithm
PayloadContains claims about the user and token metadata
SignatureVerifies the token hasn’t been tampered with

Decode and inspect tokens

To inspect a JWT’s contents, use jwt.io or decode it in your application.

Never share your auth tokens publicly. If you use jwt.io, be aware that the token contents are visible and could be logged. For production debugging, decode tokens locally.

Example using Python:

1import base64
2import json
3
4def decode_jwt(token):
5    parts = token.split('.')
6    payload = parts[1]
7    # Add padding if needed
8    payload += '=' * (4 - len(payload) % 4)
9    decoded = base64.urlsafe_b64decode(payload)
10    return json.loads(decoded)

Handle expired tokens

When your auth_token expires, API requests return a 401 Unauthorized error. To handle this:

  1. Catch the 401 response in your application
  2. Re-authenticate to get a new token (using your application token or refresh token)
  3. Retry the failed request with the new token

To avoid failed requests, track token expiration and refresh proactively. For user credentials, the auth_token expires after 240 minutes.