Related resources:




Every call made to the LUSID API must be authorised by an API access token.  

Note: The recommended and most secure option is to obtain a short-lived OAuth2.0-compliant token on demand from LUSID’s identity provider, Okta. 

If it is not possible to use an OAuth2.0-compliant token, you can create a long-lived personal access token and use this to call the API instead. To do this:

  1. Sign in to the LUSID web app as the user for whom the personal access token is intended. This is important; if you sign in as a LUSID administrator, the personal access token (and thus the calling application or service) will inherit more permissions than required to perform the operations for which it is designed.
  2. Navigate to Your Profile (account avatar, top right):
  3. In the Personal access tokens section, specify a Name for display purposes and, optionally, an Expiry date:
  4. Click Create token. The token is displayed only once. Store it in a secure system. You cannot ask to see it again. A user can have up to 3 personal access tokens concurrently.

You can now use the long-lived personal access token in place of a short-lived Okta-generated API access token to call the LUSID API, for example (actual token shortened for brevity): 

curl -X GET https://<your-domain> 
   -H "Authorization: Bearer eyJraWQiOiJvZDFzeFk4WTlPalMyZ2dZT3VidVBYT2dRX0dURkcwZ1...wmlxPjh49DYeEuh_w4vt2Q"

To revoke a personal access token, click the Revoke button: 

A user’s personal access tokens are automatically revoked when their LUSID account is deleted.