Authentication & token lifecycle
Reporting API clients use client credentials to authenticate. To get an access token, send a request to the authentication endpoint with your clientId and clientSecret, then use the returned JWT as Authorization: Bearer <jwt> on all reporting routes. See Generate OAuth Token in the API Reference.
Server-side integrations only
The Reporting API is intended for trusted server-side integrations only — for example, a backend service, data pipeline, or warehouse sync job. It is not designed for direct use from browser applications (SPAs, mobile web views, or client-side JavaScript).
clientId and clientSecret are confidential credentials. Store and use them only on infrastructure you control; never embed them in frontend code or expose them to end users.
Browser-based requests to POST /oauth/token or any Reporting API route are blocked by design. The API does not send CORS headers, so browsers reject cross-origin responses with errors such as "CORS policy" or "Failed to fetch", which may appear alongside HTTP 403 on /oauth/token. These symptoms indicate an unsupported client environment, not a service outage. Use a server-side client as shown in Getting started.
Token response
| Field | Meaning |
|---|---|
jwt |
Bearer token for the Reporting API. Use as Authorization: Bearer <jwt>. |
Expiry and re-authentication
Tokens expire after 12 hours.
- Decode the JWT
expclaim to know when the token expires and re-authenticate proactively. - On 401 Unauthorized from the API, obtain a new JWT with
POST https://reporting.api.later.com/oauth/token.
Token errors
Failed authentication requests return application/problem+json with type, title, and detail (no status in the body). See the full list of type values in Error codes:
- 401 with
type: ANL_00401— invalid, malformed, or expired JWT. When the token has expired,detailwill say so explicitly. - 403 with
type: ANL_00403— credentials are valid but the client is disabled, has no accessible instances, or the requestedinstanceIdsare not within scope.
Instance scope
Your OAuth client is configured with a predefined set of instances. When calling performance endpoints you can:
- Supply
instanceIdsto scope the response to a subset. Values must be drawn from the set bound to your client credentials; requesting an instance outside that set returns 403 withtype: ANL_00403. - Omit
instanceIdsto query every instance associated with your client credentials. The response aggregates or lists data across all of them.
See Querying the API for array-formatting details.