Authentication & token lifecycle

Reporting API clients use client credentials to authenticate. To get an access token, send a request to the authentication endpoint with your clientId and clientSecret, then use the returned JWT as Authorization: Bearer <jwt> on all reporting routes. See Generate OAuth Token in the API Reference.

Server-side integrations only

The Reporting API is intended for trusted server-side integrations only — for example, a backend service, data pipeline, or warehouse sync job. It is not designed for direct use from browser applications (SPAs, mobile web views, or client-side JavaScript).

clientId and clientSecret are confidential credentials. Store and use them only on infrastructure you control; never embed them in frontend code or expose them to end users.

Browser-based requests to POST /oauth/token or any Reporting API route are blocked by design. The API does not send CORS headers, so browsers reject cross-origin responses with errors such as "CORS policy" or "Failed to fetch", which may appear alongside HTTP 403 on /oauth/token. These symptoms indicate an unsupported client environment, not a service outage. Use a server-side client as shown in Getting started.

Token response

Field Meaning
jwt Bearer token for the Reporting API. Use as Authorization: Bearer <jwt>.

Expiry and re-authentication

Tokens expire after 12 hours.

  1. Decode the JWT exp claim to know when the token expires and re-authenticate proactively.
  2. On 401 Unauthorized from the API, obtain a new JWT with POST https://reporting.api.later.com/oauth/token.

Token errors

Failed authentication requests return application/problem+json with type, title, and detail (no status in the body). See the full list of type values in Error codes:

  • 401 with type: ANL_00401 — invalid, malformed, or expired JWT. When the token has expired, detail will say so explicitly.
  • 403 with type: ANL_00403 — credentials are valid but the client is disabled, has no accessible instances, or the requested instanceIds are not within scope.

Instance scope

Your OAuth client is configured with a predefined set of instances. When calling performance endpoints you can:

  • Supply instanceIds to scope the response to a subset. Values must be drawn from the set bound to your client credentials; requesting an instance outside that set returns 403 with type: ANL_00403.
  • Omit instanceIds to query every instance associated with your client credentials. The response aggregates or lists data across all of them.

See Querying the API for array-formatting details.