Authentication

Authentication Guide

The Smoo AI API uses OAuth 2.0 client credentials flow for machine-to-machine authentication. This guide walks you through creating credentials and authenticating your API requests.

Overview

All API requests (except the token endpoint) require a valid Bearer token. You obtain tokens by exchanging your client credentials at the token endpoint.

OAuth 2.0

Client credentials grant type for server-to-server communication.

Bearer Tokens

JWT tokens included in the Authorization header of every request.

Token Expiry

Tokens expire after 1 hour. Refresh by requesting a new token.

1. Create API Credentials

Navigate to Settings > API Keys in the Smoo AI dashboard. Click Create Client to generate a new client ID and secret pair.

Prefer the terminal? The th CLI mints the same clients: th api keys create --type m2m for a machine-to-machine secret, or th api keys create --type b2m --allowed-origin https://app.example.com for a browser-to-machine publishable key. Manage them with th api keys list, th api keys rotate, and th api keys revoke.

Store your secret securely

The client secret is shown only once. Store it in a secure location like a secrets manager or environment variable. Never commit secrets to source control.

2. Request an Access Token

Exchange your client credentials for an access token by making a POST request to the token endpoint.

Skip the boilerplate: run th api login and the th CLI performs this exchange for you, caching the token (th api whoami shows the active identity and TTL). Reads SMOOAI_CLIENT_ID / SMOOAI_CLIENT_SECRET from the environment, or pass --client-id / --client-secret.

curl -X POST https://auth.smoo.ai/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}

3. Use the Token

Include the access token in the Authorization header of all API requests.

curl https://api.smoo.ai/organizations \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Rate Limiting

The API enforces rate limits to ensure fair usage. The default limit is 100 requests per 60 seconds per authenticated token.

HeaderDescription
X-RateLimit-LimitMaximum requests per window
X-RateLimit-RemainingRemaining requests in current window
X-RateLimit-ResetUnix timestamp when the window resets

When you exceed the rate limit, the API returns a 429 Too Many Requests response. Wait until the reset time before retrying.