Authentication & token lifecycle
Reporting API clients use client credentials to authenticate. To get an access token, send a request to the authentication endpoint with your clientId and clientSecret, then use the returned JWT as Authorization: Bearer <jwt> on all reporting routes. See Generate OAuth Token in the API Reference.
Token response
| Field | Meaning |
|---|---|
jwt |
Bearer token for the Reporting API. Use as Authorization: Bearer <jwt>. |
Expiry and re-authentication
Tokens expire after 12 hours.
- Decode the JWT
expclaim to know when the token expires and re-authenticate proactively. - On 401 Unauthorized from the API, obtain a new JWT with
POST https://reporting.api.later.com/oauth/token.
Token errors
Failed authentication requests return application/problem+json with type, title, and detail (no status in the body). See the full list of type values in Error codes:
- 401 with
type: ANL_00401— invalid, malformed, or expired JWT. When the token has expired,detailwill say so explicitly. - 403 with
type: ANL_00403— credentials are valid but the client is disabled, has no accessible instances, or the requestedinstanceIdsare not within scope.
Instance scope
Your OAuth client is configured with a predefined set of instances. When calling performance endpoints you can:
- Supply
instanceIdsto scope the response to a subset. Values must be drawn from the set bound to your client credentials; requesting an instance outside that set returns 403 withtype: ANL_00403. - Omit
instanceIdsto query every instance associated with your client credentials. The response aggregates or lists data across all of them.
See Querying the API for array-formatting details.