Skip to Content
APIResourcesFeedbackAuthentication

Authentication

Authentication endpoints for token exchange and installation configuration.

Get Installation Configuration

GET /api/v2/auth/config

Returns installation configuration including signing algorithm, expected claims, and rate limits. This endpoint is used by SDKs to configure JWT signing before calling the exchange endpoint.

GET /api/v2/auth/config
curl "https://api.markup.io/api/v2/auth/config?publicKey=some+publicKey" \
    -X GET \
    -H "Authorization: Bearer <API-KEY-SECRET>" \
    -H "Markup-API-Version: 2023-02-22" \
    -H "Content-Type: application/json"
200 OK
{
    "data": {
        "installationId": "some installationId",
        "expectedAud": "some expectedAud",
        "expectedIss": "some expectedIss"
    }
}

Response Body AuthConfigResponse

OptionType
installationId string
expectedAud string
expectedIss string

Request Query Params AuthConfigRequest

OptionType
publicKey string

Exchange Token

POST /api/v2/auth/exchange

Exchanges a customer-signed JWT for a MarkUp exchange token. The exchange token can then be used to authenticate subsequent API requests.

POST /api/v2/auth/exchange
curl "https://api.markup.io/api/v2/auth/exchange" \
    -X POST \
    -H "Authorization: Bearer <API-KEY-SECRET>" \
    -H "Markup-API-Version: 2023-02-22" \
    -H "Content-Type: application/json" \
	--data '{
    "token": "some token"
}'
200 OK
{
    "data": {
        "exchangeToken": "some exchangeToken",
        "expiresAt": "2026-06-09T07:17:45.225Z",
        "workspaceId": "some workspaceId",
        "userId": "some userId",
        "markupRole": {}
    }
}

Response Body ExchangeTokenResponse

OptionType
exchangeToken string
expiresAt Iso8601Timestamp
workspaceId string
userId string
markupRole FeedbackMarkupRole

Request Body ExchangeTokenRequest

OptionType
token string

SDK Exchange Token

POST /api/v2/auth/sdk-exchange

Exchanges a verified Okta access token (from a Markup-website-authenticated caller) for an SDK-scoped MarkUp exchange token. Used by the SDK silent-bridge and popup sign-in flows so the SDK can call /v2 endpoints without requiring the host app to mint a customer-signed JWT. allowExchangeToken: false ensures only Okta tokens are accepted — an existing SDK exchange token MUST NOT be reusable to mint a fresh one (no infinite token life via self-exchange).

POST /api/v2/auth/sdk-exchange
curl "https://api.markup.io/api/v2/auth/sdk-exchange" \
    -X POST \
    -H "Authorization: Bearer <API-KEY-SECRET>" \
    -H "Markup-API-Version: 2023-02-22" \
    -H "Content-Type: application/json" \
	--data '{
    "publicKey": "some publicKey",
    "markupId": "some markupId",
    "sdkOrigin": "some sdkOrigin"
}'
200 OK
{
    "data": {
        "exchangeToken": "some exchangeToken",
        "expiresAt": "2026-06-09T07:17:45.225Z",
        "workspaceId": "some workspaceId",
        "userId": "some userId",
        "markupRole": {},
        "validatedSdkOrigin": "some validatedSdkOrigin",
        "name": "some name"
    }
}

Response Body - SdkExchangeResponse

Request Body SdkExchangeRequest

OptionType
publicKey string
markupId string
sdkOrigin string
state optionalstring

SDK Exchange Result

GET /api/v2/auth/sdk-exchange/result

Retrieves the SDK session minted by a prior /auth/sdk-exchange, keyed by the interactive sign-in state nonce. The SDK polls this after opening the sign-in popup. This is the reliable delivery path for logged-out sign-in: the popup routes through an IdP whose Cross-Origin-Opener-Policy severs window.opener, so the popup’s postMessage cannot be relied on. Intentionally NOT behind isAuthenticated — the SDK holds no Okta/exchange token at this point. Authorization is the unguessable state nonce plus re-verification of the consumer context (publicKey / markupId / Origin) recorded at mint time; single-use + TTL.

GET /api/v2/auth/sdk-exchange/result
curl "https://api.markup.io/api/v2/auth/sdk-exchange/result?state=some+state&publicKey=some+publicKey&markupId=some+markupId" \
    -X GET \
    -H "Authorization: Bearer <API-KEY-SECRET>" \
    -H "Markup-API-Version: 2023-02-22" \
    -H "Content-Type: application/json"
200 OK
{
    "data": {
        "exchangeToken": "some exchangeToken",
        "expiresAt": "2026-06-09T07:17:45.225Z",
        "workspaceId": "some workspaceId",
        "userId": "some userId",
        "markupRole": {},
        "validatedSdkOrigin": "some validatedSdkOrigin",
        "name": "some name"
    }
}

Response Body - SdkExchangeResponse

Request Query Params SdkExchangeResultRequest

OptionType
state string
publicKey string
markupId string

SdkExchangeResponse

OptionType
SdkExchangeResponse
Workspace UsersWebhooks