Auth & Tokens
Every /oi-api call takes a Bearer JWT. The token carries your identity, your workspace, your
access rights, and an expiry.
Get a token
Generate under APIs -> API Keys: pick an expiry, optionally scope it, Generate, copy once.
| Expiry | Good for |
|---|---|
| 15 minutes | quick CLI tests |
| 1 hour | short automation |
| 8 hours | a workday |
| 24 hours | daily rotation |
| 7 days | a temporary integration |
| 30 days | a long-lived service |
curl -X GET 'https://openx.fathym.com/oi-api/warm-queries/{lookup}' \
-H 'Authorization: Bearer YOUR_TOKEN'
Scopes (least privilege)
A token's access rights come from your account and workspace. Request a subset for an integration so it can do only what it needs - a token can never exceed your own rights.
What's enforced on every call
- Authentication - no valid token,
401. - Access rights - outside your rights,
403. - Governance-filtered surface -
GET /oi-api/openapilists only the endpoints your rights permit; you see what you can actually call. - Change history - every call and decision is recorded (see Ship with Confidence).
- Encrypted credentials - connection credentials are stored encrypted and never returned in responses or logs.
Building over MCP stays human
Any AI can read your warm queries and propose changes over MCP, but accepting stays in the portal - there is no accept tool over MCP, by design. See Bring Any AI.
Limits
Per-query caps apply (see REST API). There is no per-request rate limiting today.
Revoke
Revoke any token immediately from APIs -> Keys -> Revoke. Rotate regularly; use env vars; never hardcode tokens.
Clients
Call the API with cURL or any HTTP client, or connect an AI over MCP. There is no OpenX SDK today.