Cobre's Authentication API is designed specifically for clients to interact with Cobre with the best, most-secured, and frictionless authentication capabilities, in this way, facilitating access to the Cobre Move Money platform. This API simplifies the process of authentication by leveraging a straightforward approach that requires only a user_id and a secret. These credentials, obtained within the Cobre ecosystem, guarantee a secure and efficient authentication pathway.

Cobre Authentication API Guide

The Cobre Authentication API facilitates secure interactions within the Cobre Money Movement platform. Follow this step-by-step guide to authenticate and use the platform services effectively.

Obtain API Credentials

Before you can authenticate, you need to obtain the necessary API credentials: a user_id and a secret. These credentials are provided within the Cobre ecosystem, ensuring a secure and straightforward way to access the platform.

Authenticate into the Platform

With your API credentials in hand, use them to authenticate into the platform. Send a request to the Authentication API endpoint, including your user_id and secret. Upon successful authentication, the API will return a JSON Web Token (JWT).

Authentication request example:

POST /auth
Content-Type: application/json

{
  "user_id": "your_user_id",
  "secret": "your_secret"
}

Authentication reponse example:

{
    "access_token": "eyJhbGciOiJSUzI1...",
    "type": "Bearer",
    "expiration_time": 1200
}

Start moving money!

With the JWT token in hand, you will be able to initiate all your money movement operations!

How to Get Started

Before you begin, we recommend having clarity on the preliminary steps required before using this solution.

Before using this API

Create your API credentials from the Portal

Access the Portal and find the Developers section at the bottom of the left side menu.

Once in the Developers section, click on the API credentials tab, then in + Create Credential.

A new window will pop-up. Assign an alias and select the role to create your API credential with the necessary access.

Once the credential is generated, make sure you store it in a safe place since it won't be possible to get it again.

What to expect after using this API

Start calling Cobre APIs

See next sections to learn more about Cobre APIs.

Handle the token expiration

Token Management and Caching:

Do not request a new token for each business API call. This is inefficient and may cause you to be blocked due to rate limiting.

Cache the access_token after obtaining it.

Before making a call to the business API, check whether the cached token has expired. It is recommended to request a new token a little before it expires (e.g., 3 minutes earlier) to avoid failures due to expiration.

Why token lifecycle management matters

Cobre APIs use short-lived access tokens, so your integration must handle token refresh in a controlled way:

Do not request a new token on every API call

Instead, cache the token, reuse it, and refresh it only when it’s close to expiration

Implement a single “token manager” that all Cobre API requests share

This provides:

Lower latency (fewer auth calls)

More stable throughput

Cleaner error handling and observability

Better resilience under load

The Recommended Strategy

1) Cache the token and its expiration timestamp

When you request a token, the response includes:

an access token

an expiration duration (often expires_in)

Your integration should compute and store:

token

expires_at = now + expires_in

Store tokens in memory when possible (fastest).
If you run multiple instances, consider a shared cache (Redis, Memcached) so all replicas reuse the same token.

2) Refresh “just in time” using a safety window

Instead of waiting until it expires, refresh a little earlier.

Recommended safety window: refresh if the token expires within the next 60–120 seconds.

This ensures:

no token expires during slow requests

no edge cases due to clock drift

no bursts of 401 in high concurrency scenarios

3) Enforce a single refresh at a time (avoid token storms)

If your system makes parallel requests, you must avoid multiple simultaneous token refreshes (often called a “token storm”).

Use a lock / mutex to ensure only one refresh occurs, and all other requests wait for it.

Reference Implementation (Language-Agnostic Pseudocode)

Use this logic before every request to Cobre:

function getValidToken():
  if cached_token exists AND now < cached_expires_at - safety_window:
      return cached_token

  lock(token_refresh_lock):
      # Double-check after acquiring lock
      if cached_token exists AND now < cached_expires_at - safety_window:
          return cached_token

      response = requestNewToken()
      cached_token = response.access_token
      cached_expires_at = now + response.expires_in
      return cached_token

Get to know our Authentication API technical documentation:

Authentication API

Get Authentication tokens to start using Cobre APIs

Authentication

Cobre Authentication API Guide#

How to Get Started#

Before using this API#

Create your API credentials from the Portal#

What to expect after using this API#

Token Management and Caching:#

Why token lifecycle management matters#

The Recommended Strategy#

1) Cache the token and its expiration timestamp#

2) Refresh “just in time” using a safety window#

3) Enforce a single refresh at a time (avoid token storms)#

Reference Implementation (Language-Agnostic Pseudocode)#

Cobre Authentication API Guide

How to Get Started

Before using this API

Create your API credentials from the Portal

What to expect after using this API

Token Management and Caching:

Why token lifecycle management matters

The Recommended Strategy

1) Cache the token and its expiration timestamp

2) Refresh “just in time” using a safety window

3) Enforce a single refresh at a time (avoid token storms)

Reference Implementation (Language-Agnostic Pseudocode)