Skip to main content
Every Link API request — admin and runtime — must carry a bearer JSON Web Token (JWT) in the Authorization header:

Obtaining a token

Link runs on Hellgate-managed infrastructure and authenticates with the platform OAuth2 flow. Exchange your client credentials for an access token, then send it as a bearer token. Your instance’s audience is its instance name — the {instance} slug from your base URL — and you request it together with the scopes your client needs:
When Link is invoked transitively by another service — for example Specter composing with Link — the token must name every instance in the composition and carry the union of their scopes (for example, audience=my-specter-instance my-link-instance). See Composition for details. See Platform Authentication for the token endpoint, audiences, and the client-credentials request.

Scopes

Each endpoint requires a specific scope. Issue every token with the least privilege it needs — runtime clients should hold only invoke:execute, while configuration and operations belong to separate admin clients.
Runtime and admin scopes serve different audiences. Grant invoke:execute to your payment or decisioning integration; reserve the admin:* scopes for operator and back-office clients that configure protocols, backends, and keys.

Next steps

Quickstart

Use your token to import a protocol, register a backend, and invoke an action.