Cobru
PaymentsPayoutsPlatformChangelog
Platform

Authentication

Credential model, token refresh flow, and security guidance for the Cobru API.

Cobru uses a layered authentication model:

  • x-api-key: your integration key
  • Authorization: Bearer {access}: a short-lived access token from /token/refresh/

Start here

  1. Store x-api-key and the refresh token only in backend secret storage.
  2. Mint an access token from /token/refresh/.
  3. Cache the access token centrally before making routine API calls.
  4. Reuse the token until refresh is needed instead of minting on every request.

Credential roles

CredentialWhere to use itNotes
x-api-keybackend requestsTreat it as an integration credential and keep it out of frontend bundles
refresh tokenbackend secret storage onlyUsed only to mint short-lived access tokens
access tokenbackend requestsCache aggressively, rotate often

Token refresh flow

curl -X POST https://dev.cobru.co/token/refresh/ \
  -H "x-api-key: $COBRU_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"refresh":"'"$COBRU_REFRESH_TOKEN"'"}'

Expected response

{ "access": "eyJ0eXAi..." }

The body field is refresh, not refresh_token. This discrepancy is one of the most important Cobru quirks to document internally.

Required headers for API requests

x-api-key: {your_api_key}
Authorization: Bearer {access}
Accept: application/json
Content-Type: application/json

Token lifetime and caching

PropertyRecommendation
Observed token lifetimeabout 60 minutes
Safe cache TTL50 minutes
Edge runtime caveatin-memory caches do not persist between invocations
Production fixkeep the token in Redis, Vercel KV, or another shared cache

Environment variables

COBRU_BASE_URL=https://dev.cobru.co
COBRU_API_KEY=...
COBRU_REFRESH_TOKEN=...

Security checklist

  • Keep all Cobru credentials in server-side environment variables only.
  • Never send x-api-key to browsers or mobile clients.
  • Refresh the access token from the server, not from the frontend.
  • Rotate credentials when team membership changes.
  • Use HTTPS-only callback URLs in production.
  • /docs/getting-started
  • /docs/webhooks
  • /docs/api/authentication/refresh

Platform

Previous Page

Webhooks

Next Page

On this page

Start hereCredential rolesToken refresh flowRequired headers for API requestsToken lifetime and cachingEnvironment variablesSecurity checklistRead next