# Create a token

`POST /auth/token`

The returned token authenticates every other call in this API. This
endpoint itself is unauthenticated — no token required to call it.

## Request Body

### application/json

- **object**
  - `client_id` (string, required) — Machine-to-machine client ID issued by Vizit.
  - `client_secret` (string, required) — Machine-to-machine client secret issued by Vizit.
  - `audience` (string, required) — API audience identifier. Always https://ext.vizit.com.
  - `organization` (string, required) — Auth0 organization ID issued by Vizit during onboarding. Required because the Auth0 client grant uses organization_usage: require.
  - `grant_type` (enum: "client_credentials", required) — Must be "client_credentials"

## Responses

### 200 — Access token issued

**application/json**

- **object**
  - `access_token` (string) — JWT access token
  - `token_type` (string)
  - `expires_in` (integer) — Token lifetime in seconds

### 401 — Invalid client credentials

**application/json**

- **object** — Auth/gateway error format (used by [Create a token](/api/authentication/createToken) and the authorizer)
  - `error` (string)
  - `error_description` (string)
