Skip to main content
The Charley API uses OAuth2 / OpenID Connect via Auth0. All requests to protected endpoints must include a valid JWT in the Authorization header.

Getting a Token

From the Dashboard (Dev/Testing)

If you’re testing the API manually, the easiest way to get a token is from your browser’s DevTools while logged in to the dashboard:
  1. Open the Network tab.
  2. Find any /api/* request.
  3. Copy the value of the Authorization: Bearer ... header.

Machine-to-Machine (Client Credentials)

For server-side integrations, use the Auth0 Client Credentials flow: 
curl -X POST https://<AUTH0_DOMAIN>/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "<CLIENT_ID>",
    "client_secret": "<CLIENT_SECRET>",
    "audience": "<API_AUDIENCE>",
    "grant_type": "client_credentials"
  }'
The response includes an access_token valid for the specified lifetime.

Using the Token

Include the token in every request: 
Authorization: Bearer <access_token>

Token Validation

The API validates tokens using Auth0’s public JWKS. Tokens must:
  • Be signed by your Auth0 tenant
  • Have the correct audience claim
  • Not be expired

Device Enrollment Authentication

Device enrollment uses a separate enrollment key (a long-lived API key), not a user JWT. See the Enrollment API for details.