A session token is an encoded JSON Web Token representing the institution and customer metadata relevant to a session.

POST /v2/session/startSession

Important

Session tokens should be cached. The API may return a 401 response, but there will be no special indication that the session has expired. (Note that this is a security best practice.)
It is acceptable for a user to have multiple sessions. It is also acceptable if the token is stored in some session that is maintained for the end user.
Session tokens expire after one hour.

After requesting a session token, set it as a custom X-CDLX-Session-Token HTTP header in your subsequent API requests.

Example: cURL Request with SessionToken in Custom HTTP Header

The following example shows a session token being set as an HTTP header. An X-CDLX-Request-Id header is also being set for debugging and tracing.

% curl -X POST -H 'X-CDLX-Request-Id: 56d5d70e-7fb8-43d3-8331-19bb6930bbdb' -H 'X-CDLX-Session-Token: ${token}' publisher-uk-fiuat.cardlytics.com/v2/ads/getAds

Session Expiration

When an expired session token is used in an API call, a 401 Session Expired response with be returned. In this case, a new token should be requested by making another/startSession API call.