Token Types
epilot uses three token types for authentication. Choose the right one for your integration:
Token Comparisonโ
| OAuth 2.0 Token | Access Token | Publishable Token | |
|---|---|---|---|
| Lifetime | 60 minutes | Long-lived (no expiry) | Long-lived (no expiry) |
| Use case | Interactive user sessions | Server-side API integrations | Client-side public apps (journeys, portals) |
| Format | JWT (Cognito-issued) | JWT (epilot-issued) | JWT (epilot-issued, public key) |
| Refresh | Via refresh token | Not needed | Not needed |
| Scope | Full user permissions | Scoped to assigned roles | Limited to public API access |
| Security | Keep confidential | Keep confidential | Safe for client-side use |
OAuth 2.0 Tokensโ
epilot uses Amazon Cognito User Pools as the OAuth 2.0 identity provider.
Token Setโ
On successful authentication, Cognito issues three tokens:
- ID Token โ Contains user identity claims (
sub,email,custom:org_id). epilot APIs use this token for authorization. - Access Token โ Standard Cognito access token for the user pool.
- Refresh Token โ Obtains new ID/access tokens without re-authenticating.
Lifetimeโ
OAuth tokens expire after 60 minutes. Use the refresh token to obtain new tokens transparently.
tip
OAuth tokens suit interactive user sessions. For API integrations, use long-lived Access Tokens instead.
Access Tokensโ
Access Tokens are long-lived JWTs for server-side integrations โ the recommended authentication method for backend systems, scripts, and third-party applications. See Access Tokens for full management details.
How They Workโ
The epilot Access Token service issues JWTs with claims compatible with Cognito-issued tokens, so all epilot APIs accept them seamlessly via the standard Authorization header.
Authorization: Bearer <your-access-token>
Creating Access Tokensโ
Create tokens in the epilot portal under Settings > Access Tokens, or programmatically via the Access Token API:
import { authorize, getClient } from '@epilot/sdk/access-token';
const accessTokenClient = getClient();
authorize(accessTokenClient, cognitoIdToken);
const { data } = await accessTokenClient.createAccessToken(null, {
name: 'SAP Integration',
assume_roles: ['123:sap_integration_role'],
});
// data.access_token contains the token โ save it securely
Role Assignmentโ
Scope each Access Token to specific roles via assume_roles. If omitted, the token inherits the creating user's roles.
{
"assume_roles": ["123:sap_integration_role"]
}
warning
Creating access tokens requires the token:create permission. The generated token is shown only once and cannot be recovered.
Revoking Access Tokensโ
Revoke tokens from the management UI or via the API:
DELETE /v1/access-tokens/{id}
Revoked tokens are immediately invalidated.
Publishable Tokensโ
Publishable Tokens are safe to embed in client-side code for public-facing applications like journeys and customer portals.
Characteristicsโ
- Limited scope โ Only grants access to public-facing APIs (submissions, product catalog, file uploads)
- Tenant identity โ Encodes the organization ID, eliminating the need for
x-epilot-org-idheaders - Separate signing key โ Verified via a dedicated public JWKS endpoint, separate from Access Token keys
- Revocable โ Can be rotated or revoked from the Access Token management UI
Usageโ
Pass Publishable Tokens as a bearer token in the Authorization header:
Authorization: Bearer <publishable-token>
Journeys and portals use the Publishable Token from their configuration automatically. You typically don't need to manage these tokens manually.
JWT Structureโ
All token types use JWT (JSON Web Token) format, signed with RS256.
OAuth 2.0 ID Token Claimsโ
| Claim | Description |
|---|---|
sub | Cognito user ID |
email | User's email address |
custom:org_id | Organization ID |
iss | Cognito User Pool issuer URL (https://cognito-idp.<region>.amazonaws.com/<pool-id>) |
exp | Expiration timestamp |
Access Token Claimsโ
| Claim | Description |
|---|---|
token_id | Unique token identifier (e.g., api_5ZugdRXasLfWBypHi93Fk) |
token_name | Human-readable token name |
org_id | Organization ID |
user_id | User identifier (same as token_id for API tokens) |
token_type | Token type: api, journey, portal, assume, app |
assume_roles | List of role IDs (e.g., ["123:owner"]) |
iss | Access Token service issuer URL |
iat | Issued-at timestamp |
Token Verificationโ
The epilot API Gateway authorizer verifies all tokens automatically using JWKS (JSON Web Key Set) endpoints:
| Token Type | JWKS Endpoint |
|---|---|
| OAuth (Cognito) | https://cognito-idp.<region>.amazonaws.com/<pool-id>/.well-known/jwks.json |
| Access Token | /v1/access-tokens/.well-known/jwks.json |
| Publishable Token | /v1/access-tokens/public/.well-known/jwks.json |
Choosing a Token Typeโ
| Scenario | Token Type | Action |
|---|---|---|
| Backend integration | Access Token | Create under Settings > Access Tokens with scoped roles |
| Interactive user sessions | OAuth Token | Issued automatically on portal login |
| Embedding a journey or portal | Publishable Token | Configured automatically โ no action needed |
See Alsoโ
- Authentication โ OAuth 2.0 login flows and SDK usage
- Security Architecture โ Platform security overview
- Access Tokens โ Creating and managing Access Tokens
- Permissions โ Role-based access control and grants