A session token is an encoded JSON Web Token representing the institution and customer metadata relevant to a session.

POST /v2/session/startSession

Important

Session tokens should be cached. The API may return a 401 response, but there will be no special indication that the session has expired. (Note that this is a security best practice.)
It is acceptable for a user to have multiple sessions. It is also acceptable if the token is stored in some session that is maintained for the end user.
Session tokens expire after one hour.

After requesting a session token, set it as a custom X-CDLX-Session-Token HTTP header in your subsequent API requests.

Example: cURL Request with SessionToken in Custom HTTP Header

The following example shows a session token being set as an HTTP header. An X-CDLX-Request-Id header is also being set for debugging and tracing.

% curl -X POST -H 'X-CDLX-Request-Id: 56d5d70e-7fb8-43d3-8331-19bb6930bbdb' -H 'X-CDLX-Session-Token: ${token}' publisher-uk-fiuat.cardlytics.com/v2/ads/getAds

Session Expiration

When a session expires, you'll receive a 401 Session Expired response from Cardlytics. In this case, request a new token by making another /startSession API call.

Error Messages Returned

When a user calls startSession, if that user doesn’t have an account associated with it, it will return a 400 error message: User has no accounts