Authentication & token lifecycle

Reporting API clients use client credentials: POST a JSON body with clientId and clientSecret to the token URL, then pass the returned JWT as Authorization: Bearer <jwt> on all reporting routes. See Generate OAuth Token in the API Reference.

Token response

The token carries an exp claim. Decode it to know the exact expiry time.

Storage

Expiry and re-authentication

1. Decode the JWT exp claim to know when the token expires and re-authenticate proactively.
2. On 401 Unauthorized from the API, obtain a new JWT with POST https://reporting.api.later.com/oauth/token.

Token errors (401)

Failed token requests return 401 with Content-Type: application/problem+json and a small JSON object (RFC 9457 style: type, title, detail — no status field in the body):

Instance-scoped access

Your OAuth client is provisioned with a fixed set of instances (workspaces). Those bindings determine which instance IDs you may query.

1. Discover IDs — Call GET /instances with your JWT. The response lists instanceIds your credentials are allowed to use.
2. Scope requests — Pass one or more values as instanceIds on performance endpoints (see Querying the API for array formats).
3. Validation — For a v2 JWT, allowed instances are exactly the set tied to your client. Requesting instance IDs outside that set is invalid: depending on how the request is validated, you may get an authorization error, a problem response, or empty data. If results look wrong, confirm every instanceId appears in your latest GET /instances response.

Calling the API

GET /campaigns/performance?startDate=2025-01-01&endDate=2025-01-31&instanceIds=instance_abc
Authorization: Bearer <jwt>

Full URL example: https://reporting.api.later.com/v2/campaigns/performance?...

Related pages

• Getting started
• Errors & troubleshooting
• Querying the API
• API Reference