# Authentication and limits

To interact with the Nora API, you need to authenticate your requests using a token. All API requests are made to `https://main.formflow-dev.net`. All requests should be made using HTTPS.

### Obtain credentials <a href="#obtain-credentials" id="obtain-credentials"></a>

To access the Nora API, you will need a `clientId` and `clientSecret` value, which are provided by Nora Customer Support upon request. You will also need to know your `organizationId` value.

{% hint style="info" %}

#### Keep your credentials secure

Ensure your credentials (clientId, clientSecret, and organizationId) are kept secure. Do not expose them in client-side code or public repositories. Should a secret value or its hash surface in a public leaks database, Nora will pre-emptively deactivate such credentials.
{% endhint %}

You can exchange these for a `Bearer` token, valid for 3600 seconds (1 hour):

**Endpoint**

[`POST /api/token`](https://docs.ai.insly.com/nora/api-documentation/broken-reference)

**Headers**

`Accept: application/jsonContent-Type: application/json`

**Example request body**

```json
{
  "clientId": "2mvc4Ev4qpU8Y0FbADRq4xpZOhf",
  "clientSecret": "{zPYnGM$c&p+NLH0JNm-xdD'6+VHVuE`1R/xe(7+*eSAIOW^C~)M:8H_32Vd#{J",
  "organizationId": "2nHy8pbeoD5CM9WbjvyGj1VKoUu"
}
```

**Example 200 response**

```json
{
  "token": "eyJhbGciOiJSUzI1NiIs...Ce7EdUsAw",
  "expires_in": 3600,
  "token_type": "Bearer"
}
```

### Authenticate your requests <a href="#authenticate-your-requests" id="authenticate-your-requests"></a>

You can use the token in the response to authenticate all subsequent requests by including it in the Authorization header: `Authorization: Bearer <your_token>`

### Refreshing the token <a href="#refreshing-the-token" id="refreshing-the-token"></a>

Since the token is valid for 3600 seconds (1 hour), you will need to repeat the token request process to refresh your token. Ensure your application is designed to handle token expiration by checking against the `expires_in` value in the response.

### Rate Limiting <a href="#rate-limiting" id="rate-limiting"></a>

The API enforces a rate limit of 60 requests per minute to ensure fair usage and maintain performance. If you exceed this limit, the API will return a `429 Too Many Requests` response code. When this occurs, you must wait until the rate limit resets before making additional requests. To avoid interruptions, ensure your application adheres to the rate limit policy.