Skip to main content

Sessions

Create Session

Create a new Session for a Public Application.

POST
https://api.basistheory.com/sessions
Copy

Request

curl "https://api.basistheory.com/sessions" \
-H "BT-API-KEY: <PUBLIC_API_KEY>" \
-X "POST"

Response

Returns a CreateSessionResponse if the session was created. Returns an error if there were validation errors, or the session failed to create.

{
"session_key": "<SESSION_API_KEY>",
"nonce": "4J7SiRvfADwJ9ZqwviJJs8",
"expires_at": "2023-01-09T20:14:55.2130891+00:00"
}
The session_key should not be shared with any other application. It should only be used by the one creating it. The session will not have any access until it is authorized.

Authorize Session

Authorize a created session with permissions or access rules, using a Private Application.

POST
https://api.basistheory.com/sessions/authorize
Copy

Request

curl "https://api.basistheory.com/sessions/authorize" \
-H "BT-API-KEY: <PRIVATE_API_KEY>" \
-H "Content-Type: application/json" \
-X "POST" \
-d '{
"nonce": "4J7SiRvfADwJ9ZqwviJJs8",
"permissions": [ "token:create", "token:read" ]
}'

Request Parameters

AttributeRequiredTypeDefaultDescription
noncetruestringnullA one-time use code to authorize the session
permissionsfalsearray[]An array of Permissions granted to the application tied to the session
rulesfalsearray[]An array of Access Rules granted to the application tied to the session
expires_atfalsestringnullISO8601 compatible DateTime in which the session will be deleted. By default it is 3 minutes from the session creation date

Either permissions or rules is required to be non-empty when authorizing a Session.

Response

Returns no payload. Returns an error if there were validation errors, or the session authorization failed.

Create Session Response Object

AttributeTypeDescription
session_keystringThe Session API key which should be used for authenticating against Basis Theory API endpoints
noncestringA one-time use code to authorize the session
expires_atdateExpiring date of the Session in ISO 8601 format. Defaults to 3 minutes after the creation date