Tenant Management
Manage Data Border access tokens
Tenant Management
These endpoints manage Data Border access token lifecycle.
Tenants are created through the Data Border portal. Contact your administrator to get started.
Get Data Border Access Token
Exchanges a tenant refresh token for a Data Border access token.
POST /api/get-adb-access-token
Authentication
Authenticated by the refresh_token in the request body. No management JWT or Authorization header is required.
Request Body
{
"tenant_id": "string",
"refresh_token": "string"
}
| Field | Type | Required | Description |
|---|---|---|---|
tenant_id | string | Yes | The tenant's unique identifier |
refresh_token | string | Yes | The tenant's refresh token |
Response
{
"success": true,
"data": {
"access_token": "eyJhbGciOiJIUzI1NiIs..."
}
}
| Field | Description |
|---|---|
access_token | JWT access token valid for 30 days |
Token Claims
The access token contains:
{
"tenant_id": "clx1y2z3a4b5c6d7e8f9g0h1",
"iat": 1640995200,
"exp": 1643587200
}
Example
curl -X POST https://adb.example.com/api/get-adb-access-token \
-H "Content-Type: application/json" \
-d '{
"tenant_id": "clx1y2z3a4b5c6d7e8f9g0h1",
"refresh_token": "rt_abc123def456..."
}'
Errors
| Status | Message | Cause |
|---|---|---|
| 400 | tenant_id is required | Missing tenant ID |
| 400 | refresh_token is required | Missing refresh token |
| 404 | Tenant not found | Tenant ID doesn't exist |
| 401 | Invalid refresh token | Refresh token doesn't match |
Token Lifecycle
Recommended Refresh Strategy
flowchart TD
A[Application Start] --> B{Token Cached?}
B -->|No| C[Exchange Refresh Token]
B -->|Yes| D{Expires in < 7 days?}
D -->|Yes| C
D -->|No| E[Use Cached Token]
C --> F[Cache Token + Expiry]
F --> E
E --> G[Make API Calls] Loading diagram...
Token Storage
| Token | Storage | Encryption | Access |
|---|---|---|---|
| Tenant Refresh Token | Database | Yes (at rest) | Limited to token refresh |
| Data Border Access Token | Memory/Cache | Optional | API calls |
Security Considerations
- Refresh tokens never expire but can be revoked
- Access tokens are JWTs signed with HS256
- Always transmit tokens over HTTPS
- Never log tokens in plain text
- Implement token refresh before expiry