To use Skyflow's Management API, Data API, or SDKs, you need a bearer token to authenticate your API calls. Bearer tokens allow time-limited, scoped, and permission-sensitive access to your Skyflow account and the vaults it contains.

infoSkyflow's bearer tokens match the RFC's Authorization Bearer Token Header specification.


    Sign in to your Skyflow account:

      For sandbox and production environments, use your dedicated sign-in URL.

    If you don't have an account, sign up for a free trial account.

    Create a vault

Create a service account

When generating tokens using a Skyflow SDK or Python script, you must create a service account. A service account is an identity for machine access to your vault. The service account's roles, and the policies attached to those roles, decide the level of access a service account has to a vault.

infoYou must have Vault Owner permissions to create a service account.

If you already have a service account, skip to the method you want to use to generate a bearer token.

    In Studio, click Settings in the upper navigation.In the side navigation, click Vault, then choose the vault you want to create a service account for from the dropdown menu.Under IAM, click Service Accounts, then click New Service Account.For Name, enter a value. For example, "Authenticate".For Roles, select Vault Editor.Optional: To enforce context-aware authentication, click the dropdown menu next to Context Aware Authentication and select the option for Inject context ID in bearer tokens.Click Create.Your browser downloads a credentials.json file. Store this file in a secure location. You'll need it to generate bearer tokens.

Generate a bearer token

You can generate a bearer token with an SDK, Python script, or (if you're in a trial environment) through Skyflow Studio. In production environments, we recommend using Skyflow-provided SDKs.

Use an SDK

When you integrate your backend systems with one of Skyflow's SDKs, you can use service account credentials to generate bearer tokens. Bearer tokens generated from SDKs are valid for 60 minutes and let you make API calls allowed by the policies associated with the service account.

Step 1: Install the SDK

Now that you have your credentials.json file, it's time to prepare the SDK in the language of your choice.

Make sure your project is using Go Modules:

go mod init

Then reference skyflow-go in a Go program with import:

import (
  saUtil ""
  Skyflow ""

Step 2: Generate the bearer token

With the SDK installed, you can generate bearer tokens by passing your credentials.json file into an appropriate language-specific function.

The Go SDK has two functions that can take credentials.json and return a bearer token:

    GenerateBearerToken(filepath) takes the path to credentials.json as input.GenerateBearerTokenFromCreds(credentials) takes the body of credentials.json as a string as input.


package main

import (
    saUtil ""

var bearerToken = ""

func GetSkyflowBearerToken() (string, error) {

	if saUtil.IsExpired(bearerToken) {
		newToken, err := saUtil.GenerateBearerToken(filePath)
		if err != nil {
			return "", err
		} else {
			bearerToken = newToken.AccessToken
			return bearerToken, nil
	return bearerToken, nil

Once you have your bearer token, you can programmatically interact with Skyflow APIs. See next steps.

Use Studio

If you're in a trial environment, you can generate bearer tokens through Studio. Bearer tokens generated in Studio are valid for 24 hours and let you make API calls allowed by the policies associated with your account.

    In Studio, click your account icon and choose Generate API Bearer Token.Click Generate Token.

Studio copies the token onto your clipboard.

"Generating a bearer token in Studio."

Use a Python script

In production environments, we recommend you generate bearer tokens using Skyflow-provided SDKs. However, you can use this Python script to test generating bearer tokens on your local machine. To execute the script, make sure you have the credentials.json file, downloaded during the service account creation.

infoThis guide uses Homebrew to run Python installation commands. Adapt your Python installation accordingly.

Step 1: Prepare your environment

From your terminal, run the following commands to install python and the appropriate libraries.

Install Python version 3.5 or later.

brew install python

Install the following libraries:

pip3 install PyJWT

pip3 install requests

pip3 install cryptography

Step 2: Install the Python bearer token script

Now that you have your credentials.json file, it's time to prepare the Python script for generating a bearer token. To get started, copy, and paste the following script into your IDE.

import json
# Requests lib installation: 'pip install requests'
# PyJWT lib installation:
# 'pip install pyjwt[crypto]>=2.0.0' or
# 'pip install cryptography; pip install pyjwt>=2.0.0'
import jwt
import requests
import time

def getSignedJWT(credsFile):
   # credsFile is the filepath to your credentials.json file
   # Load the credentials.json file into an object called creds
   fd = open(credsFile)
   creds = json.load(fd)

   # Create the claims object with the data in the creds object
   claims = {
       "iss": creds["clientID"],
       "key": creds["keyID"],
       "aud": creds["tokenURI"],
       "exp": int(time.time()) + (3600), # JWT expires in Now + 60 minutes
       "sub": creds["clientID"],
   # Sign the claims object with the private key contained in the creds object
   signedJWT = jwt.encode(claims, creds["privateKey"], algorithm='RS256')
   return signedJWT, creds

def getBearerToken(signedJWT, creds):
   # Request body parameters
   body = {
       'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
       'assertion': signedJWT,
   # Request URI (==
   tokenURI = creds["tokenURI"]

   # Send the POST request using your favorite Python HTTP request lib
   r =, json=body)
   return r.text

jwtToken, creds = getSignedJWT('<PATH_TO_CREDENTIALS.JSON>')
bearerToken = getBearerToken(jwtToken, creds)

Locate the jwtToken, creds parameter and enter the full path to your credentials.json file.

jwtToken, creds = getSignedJWT('<PATH_TO_CREDENTIALS.JSON>')

Save this file as to a secure location. You'll need it to execute the script.

Step 3: Generate a bearer token

From your terminal, navigate to the folder with the script and run the following command to generate a bearer token.


Skyflow validates the JWT assertion and returns a bearer token.

       "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZS5za3lmbG93YXBpcy5kZXYiLCJjbGkiOiJ5NGIwZm....pOqmlI_CWY2V6MEBTqnVHuAo1-9MBSW8REp-mv_-mJqOe8TMb9dOImcXzM7jEpW79Fqs3-HCo-cUikWwy6tjjvVqHW-4pqG005pGzxrAt275Q2LU1pXwUfUM6idH9o2ydlpTp0-ujPQgVQXh8w9LsqE58Qtm4lRU8Sr8FMdx72qnuahD5Xoh1KL7D-DFZaYMrof9aTfUFUctUBzOUbL4_z2bEf2wkHouSPOZGI3uHIM54mjX013NkNXzMltP8GiP5GimC3PX-jA",
       "tokenType": "Bearer"

Once you have your bearer token, you can programmatically interact with Skyflow APIs. See next steps.

Next steps

You can now use your bearer token to interact with Skyflow APIs.

If you're new to Skyflow, see Get started with Skyflow. Otherwise, see the various ways you can use Skyflow APIs:

In this article