# Authentication and limits

To interact with the Nora API, you need to authenticate your requests using a token. All API requests are made to `https://main.formflow-dev.net`. All requests should be made using HTTPS.

### Obtain credentials <a href="#obtain-credentials" id="obtain-credentials"></a>

To access the Nora API, you will need a `clientId` and `clientSecret` value, which are provided by Nora Customer Support upon request. You will also need to know your `organizationId` value.

{% hint style="info" %}

#### Keep your credentials secure

Ensure your credentials (clientId, clientSecret, and organizationId) are kept secure. Do not expose them in client-side code or public repositories. Should a secret value or its hash surface in a public leaks database, Nora will pre-emptively deactivate such credentials.
{% endhint %}

You can exchange these for a `Bearer` token, valid for 3600 seconds (1 hour):

**Endpoint**

[`POST /api/token`](broken://pages/d52e928cc03ab5f837a429392ee63d6a50d18721#post-token)

**Headers**

`Accept: application/jsonContent-Type: application/json`

**Example request body**

```json
{
  "clientId": "2mvc4Ev4qpU8Y0FbADRq4xpZOhf",
  "clientSecret": "{zPYnGM$c&p+NLH0JNm-xdD'6+VHVuE`1R/xe(7+*eSAIOW^C~)M:8H_32Vd#{J",
  "organizationId": "2nHy8pbeoD5CM9WbjvyGj1VKoUu"
}
```

**Example 200 response**

```json
{
  "token": "eyJhbGciOiJSUzI1NiIs...Ce7EdUsAw",
  "expires_in": 3600,
  "token_type": "Bearer"
}
```

### Authenticate your requests <a href="#authenticate-your-requests" id="authenticate-your-requests"></a>

You can use the token in the response to authenticate all subsequent requests by including it in the Authorization header: `Authorization: Bearer <your_token>`

### Refreshing the token <a href="#refreshing-the-token" id="refreshing-the-token"></a>

Since the token is valid for 3600 seconds (1 hour), you will need to repeat the token request process to refresh your token. Ensure your application is designed to handle token expiration by checking against the `expires_in` value in the response.

### Rate Limiting <a href="#rate-limiting" id="rate-limiting"></a>

The API enforces a rate limit of 60 requests per minute to ensure fair usage and maintain performance. If you exceed this limit, the API will return a `429 Too Many Requests` response code. When this occurs, you must wait until the rate limit resets before making additional requests. To avoid interruptions, ensure your application adheres to the rate limit policy.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ai.insly.com/nora/api-documentation/authentication-and-limits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.