# App tokens In the Unifize platform, token generation adheres to the two-legged OAuth2.0 protocol, which is particularly useful for applications needing to authenticate and authorize without direct user involvement. ## Creating an app The process kicks off with a developer creating an app within the Unifize environment. Upon successful creation, the developer is provided with two crucial pieces of information: an app id and a private key. These elements are fundamental to the token generation process, which forms the backbone of secure communication between the app and Unifize's APIs. ## Crafting token request JWT The next step involves constructing a JSON Web Token (JWT), which serves as the vehicle for requesting an access token. Within this JWT, three essential claims are defined. * The `iss` claim represents the app id, uniquely identifying the app making the request. * The `iat` claim specifies the issued-at timestamp, reflecting the current time in seconds based on Coordinated Universal Time (UTC). * The `exp`claim indicates the expiration of the token, set to the value of `iat` plus 600 seconds, establishing a 10-minute validity window. The JWT must be signed using the RSA 256 algorithm, which relies on the app's private key. This cryptographic signature validates the authenticity of the request. ## Requesting a token Having constructed and signed the JWT, the application proceeds to the token request phase. This involves making a POST request to the `/application/token` endpoint, accompanied by an `Authorization` header populated with the value `Bearer `. This header encapsulates the JWT, signaling to the server that the request is made on behalf of a trusted entity. Upon successful validation, the server responds with an access token and its associated expiration timestamp. This access token acts as a digital key, enabling the application to perform authorized actions on the Unifize platform. Consequently, the application can now interact with various APIs by including the `Authorization` header, formatted as `Bearer `, to authenticate each request seamlessly. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.unifize.com/developer/authentication/app-tokens.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.