Skip to Content
DocumentationAuthentication ClusterAPI token (HTTP)

API token (HTTP)

⚡ 5 min read

Server-to-server calls to Transcodes APIs use a JWT from the Transcodes Console sent in the x-transcodes-token header. Transcodes does not issue a separate legacy “API key” string, and x-api-key is not used for these requests.

When you need this

Use a server-only token when:

  • Your backend calls Transcodes HTTP APIs (for example step-up verification, members, or other /v1 routes)
  • You need machine-to-machine access without an end-user browser session

Tokens used with x-transcodes-token are server-side secrets. Never put them in client bundles, public repos, or browser code.

Required header

Every server-to-Transcodes request that expects this auth model must include:

HeaderValue
x-transcodes-tokenJWT string copied from the Transcodes Console  for your organization/project (store as an env var such as TRANSCODES_AUTH_API_TOKEN on the server)

Do not send Transcodes API auth using:

  • x-api-key
  • Authorization: Bearer with a legacy standalone API key string

Obtaining the token

Open Transcodes Console

Sign in at Transcodes Console .

Select organization and project

Use the project whose APIs your backend will call.

Copy the API token

Copy the JWT issued for server / tooling use (the same class of token used for MCP is a related workflow — set TRANSCODES_TOKEN for MCP hosts; for your own backend HTTP calls to api.transcodesapis.com, set x-transcodes-token to the token from the Console).

Store it as a secret

Put the value in your deployment secrets or .env on the server only (for example TRANSCODES_AUTH_API_TOKEN).

Example: curl

curl -sS -X GET \
  'https://api.transcodesapis.com/v1/auth/temp-session/step-up/YOUR_STEP_UP_SID' \
  -H 'x-transcodes-token: YOUR_SERVER_JWT_FROM_CONSOLE' \
  -H 'Content-Type: application/json'

Example: Node.js (fetch)

const AUTH_API_TOKEN = process.env.TRANSCODES_AUTH_API_TOKEN!;
 
const res = await fetch(
  'https://api.transcodesapis.com/v1/example-endpoint',
  {
    headers: {
      'x-transcodes-token': AUTH_API_TOKEN,
      'Content-Type': 'application/json',
    },
  },
);

Scope and rotation

  • The JWT encodes organization, project, and permission context (claims depend on how the token was issued in the Console).
  • When a token is rotated or revoked in the Console, update your server secret and redeploy; requests with the old value will fail with 401 / non-success responses.

What to do next?

  1. Configure JSON Web Key if you verify end-user JWTs from the SDK on your backend.
  2. Set up Webhooks for event-driven integrations.
  3. See Token API and Modal API for client and token flows.
Last updated on
JSON Web KeyMulti-Organization