> ## Documentation Index
> Fetch the complete documentation index at: https://docs.polygon.technology/llms.txt
> Use this file to discover all available pages before exploring further.

# Get bearer token

> Exchanges an OMS API key + secret for a bearer token valid for 60 minutes. The token is signed by the OMS issuer and must be presented as `Authorization Bearer <token>` on every other endpoint.



## OpenAPI

````yaml /api-reference/openapi.yaml post /auth/token
openapi: 3.0.3
info:
  title: Polygon OMS Public API
  version: v26.05.28-0001
  description: >-
    Unified API for moving money between crypto and fiat. Three ways to move
    money: Transactions (instant, wallet or card funded, including Cash-In for
    in-person cash deposits), Deposit Addresses (reusable crypto deposit
    configurations), and Virtual Accounts (dedicated bank accounts that
    auto-convert fiat to crypto). Standard transactions follow a two-step flow:
    create a Quote (pricing), then create a Transaction (execution). Cash-in
    codes generate a one-time deposit code for in-person cash deposits at retail
    locations.
  contact:
    name: Polygon OMS
    url: https://oms.polygon.technology
servers:
  - url: https://sandbox-api.polygon.technology/v0.9
    description: Sandbox
  - url: https://api.polygon.technology/v0.9
    description: Production
security:
  - BearerAuth: []
tags:
  - name: Auth
    description: Authentication via FrontEgg
  - name: Customers
    description: Customer management and KYC
  - name: Customer
  - name: Wallet
  - name: Quote
  - name: Transaction
  - name: Webhook
  - name: CashIns
  - name: CashLocation
  - name: Sandbox
  - name: Simulation
paths:
  /auth/token:
    post:
      tags:
        - Auth
      summary: Get bearer token
      description: >-
        Exchanges an OMS API key + secret for a bearer token valid for 60
        minutes. The token is signed by the OMS issuer and must be presented as
        `Authorization Bearer <token>` on every other endpoint.
      operationId: authorize
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthorizeRequest'
      responses:
        '200':
          description: Token issued
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizeResponse'
        '400':
          description: Malformed request body
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: Invalid or revoked credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security: []
components:
  schemas:
    AuthorizeRequest:
      type: object
      required:
        - apiKey
        - apiSecret
      properties:
        apiKey:
          type: string
          description: |
            Secret API key identifier. Prefix encodes (mode, env): `sk_live_…` /
            `sk_sdbx_…` on prod; non-prod envs add an env infix
            (`sk_dev_sdbx_…`, `sk_stg_live_…`, …). The matching apiSecret is
            shown once at key creation and stored only as an HMAC hash.
          example: sk_live_abc123...
        apiSecret:
          type: string
          description: Opaque secret revealed once at key creation; not a typeid.
          example: opaque-bearer-secret...
    AuthorizeResponse:
      type: object
      required:
        - accessToken
        - tokenType
        - expiresIn
        - expiresAt
      properties:
        accessToken:
          type: string
          example: eyJhbGciOiJSUzI1NiIs...
        tokenType:
          type: string
          enum:
            - bearer
        expiresIn:
          type: integer
          example: 3600
        expiresAt:
          type: string
          format: date-time
    ErrorResponse:
      type: object
      required:
        - error
        - code
        - msg
        - status
      description: >-
        Canonical OMSX error envelope, matching the webrpc shape every OMSX
        service emits. Names and numeric codes are stable identifiers defined in
        `schema/omsx/errors.ridl`.
      properties:
        error:
          type: string
          description: Stable error name from schema/omsx/errors.ridl
          example: Unauthorized
        code:
          type: integer
          description: Stable numeric code from schema/omsx/errors.ridl
          example: 1000
        msg:
          type: string
          description: Human-readable message (kept stable across releases)
          example: unauthorized access
        cause:
          type: string
          description: >-
            Optional internal cause for operator triage; filtered before
            reaching end customers
          example: signature
        status:
          type: integer
          description: HTTP status mirrored in the body for client convenience
          example: 401
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: Token from POST /auth/token

````