Skip to main content
All Lexful API requests must be authenticated. Requests without valid credentials are rejected. Lexful uses:
  • An account identifier in the X-Account-ID header.
  • A short-lived Bearer token in the Authorization header.

Authentication flow

Most integrations follow the same basic steps: obtain a token, then use it on subsequent requests.
1

Request a Bearer token

Call the auth endpoint with your API key ID and secret:
curl --location 'https://api.us.lexful.app/v1/auth/token' \
  --header 'X-Account-Id: {YOUR_ACCOUNT_ID}' \
  --header 'Content-Type: application/json' \
  --data '{
    "id": "{YOUR_API_KEY_ID}",
    "secret": "{YOUR_API_KEY_SECRET}"
  }'
The response includes a token that is valid for 60 minutes. Treat this as sensitive and do not log or hard-code it.
2

Call APIs with the token

Include the token and your account ID on API requests:
curl --location 'https://api.us.lexful.app/v1/organizations' \
  --header 'X-Account-ID: {YOUR_ACCOUNT_ID}' \
  --header 'Authorization: Bearer {TOKEN}'
3

Handle common errors

If a request fails with an authentication-related error, check for:
  • Missing or incorrect X-Account-ID.
  • Expired or malformed Bearer token.
  • Using credentials from the wrong environment.
Inspect the HTTP status code and error body, then verify your headers and credentials.