# token-exchange

API key authentication

## Exchange API key for short-lived access token

 - [POST /auth/token/exchange](https://apidocs.logmycare.co.uk/docs/openapi/token-exchange/exchangetoken.md): Exchange a long-lived API key for a short-lived JWT access token (15 minutes).
This provides enhanced security by minimizing API key exposure.

Permissions and Scope:

  All permissions, scopes, and home access are automatically determined by the API key
  No need to specify permissions in the request body
  The generated token will have all permissions associated with the API key


Rate Limits:

  Production: 10/min, 100/hour, 1000/day per API key
  Test/Development: 30/min, 100/hour, 500/day per API key


Security Features:

  Tokens expire automatically after 15 minutes
  IP-based monitoring and abuse detection
  Comprehensive audit logging


Usage Pattern:

  Exchange API key for access token at secure endpoint
  Use access token for API calls (never use API key directly)
  Re-exchange when token expires (every 15 minutes)


This follows OAuth 2.0 Token Exchange (RFC 8693) patterns.