Authentication

To start making calls to Brex APIs, generate a user token from your Brex dashboard and pass it along in your API call headers.

1. Generate a user token

  1. Sign in to dashboard.brex.com as an account admin or card admin .
  2. Go to Developer > Settings .
  3. Click Create Token .
  4. Create a name for your token that will help you identify it. Choose what level of data access you need for your application; these are the scopes your token will have.
    Create your token and choose your scopes
  5. The next screen will confirm your previous selections. Make sure it looks good, then select Allow Access .
    Confirm your scopes
  6. Your token is now created. Copy and store the token securely. You won't be able to see it again.
    Copy token
  7. Back on the developer page of your Brex dashboard, you should see your token listed now. As a security measure, part of the string is obfuscated. If you lose it, create a new one and replace the token.
    Developer dash

Caution: Your user token is private and should not be shared. Never check it into version control or save it somewhere publicly accessible. If your user token is compromised or leaked, make sure to revoke it.

2. Pass the user token in your API call headers

To pass your user token to Brex APIs, add it as a header to your API calls in the following format:

Copy
Copied
Authorization: "Bearer {{your user_token here}}"

If, for example, your user token value is bxt_jBWQLZXtu1f4sVT6UjaWPp7Gh9nVGjzEZgRX, your header will be:

Copy
Copied
Authorization: "Bearer bxt_jBWQLZXtu1f4sVT6UjaWPp7Gh9nVGjzEZgRX"

Token revocation and expiration

User tokens will expire if they are not used to make an API call for 90 days.

If your token is compromised, or you no longer need it, revoke the user token from the developer page in your Brex dashboard. Once revoked, any calls made with this token will immediately begin to fail.

API Server

Brex currently only offers a production API server at https://platform.brexapis.com. This is the base URL for all API calls, except for the Get Card Number call (under the Cards section of the Team API), which should use the production PCI API server: https://secure-platform.brexapis.com.

Copyright © Brex 2019–2022. All rights reserved.