> ## Documentation Index > Fetch the complete documentation index at: https://docs.xbridge.co.tz/llms.txt > Use this file to discover all available pages before exploring further. # Exchange keyId + secret for a Bearer token > Returns a short-lived (~1h) JWT used as `Authorization: Bearer ` on all other calls. Each service (BaaS core and Collections gateway) issues its own token from its own key pair. ## OpenAPI ````yaml /api-reference/openapi.json post /generate-token openapi: 3.1.0 info: title: Bridge API version: 1.0.0 description: >- Bridge is Banking-as-a-Service: launch wallets, lending, and payment collections while a bank/FSP retains custody and compliance. This reference covers the production-proven surface. Get a `keyId`/`secret` from the Dashboard, exchange them at `/generate-token` for a 1-hour Bearer token, then call the product APIs. **Auth recovery:** tokens expire after ~1h. On a 401, re-call `/generate-token` and retry once. servers: - url: https://{baasHost}/api description: BaaS core (KYC, Lending, Wallets) variables: baasHost: default: services.finance.reli.co.tz - url: https://{gatewayHost}/api description: >- Collections gateway (payment collection) — a separate service and key from the BaaS core. variables: gatewayHost: default: bridge-fsp.usereli.tech security: - bearerAuth: [] tags: - name: Auth description: Exchange API keys for a Bearer token. - name: KYC description: Customers and identity. KYC is the authoritative customer store. - name: Lending description: Loan products, origination, schedules, and repayments. - name: Wallets description: Stored-value wallets, deposits, and escrow. - name: Collections description: Mobile (USSD) payment collection. Separate service + key. paths: /generate-token: post: tags: - Auth summary: Exchange keyId + secret for a Bearer token description: >- Returns a short-lived (~1h) JWT used as `Authorization: Bearer ` on all other calls. Each service (BaaS core and Collections gateway) issues its own token from its own key pair. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GenerateTokenRequest' example: keyId: 00000000-0000-4000-8000-000000000000 secret: responses: '200': description: Token issued content: application/json: schema: $ref: '#/components/schemas/TokenResponse' example: token: eyJhbGciOi... expiresAt: '2026-01-01T12:00:00.000Z' businessId: 2c0219b4-8c70-418d-9e9a-449e7b7643eb environment: sandbox scopes: - wallet:* - lending:* - identity:* '401': $ref: '#/components/responses/Unauthorized' security: [] components: schemas: GenerateTokenRequest: type: object required: - keyId - secret properties: keyId: type: string secret: type: string TokenResponse: type: object properties: token: type: string expiresAt: type: string format: date-time nullable: true businessId: type: string environment: type: string enum: - sandbox - production scopes: type: array items: type: string responses: Unauthorized: description: Missing/expired token. Re-call /generate-token and retry once. content: application/json: example: error: code: UNAUTHORIZED message: Token expired or invalid securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- Bearer token from POST /generate-token. Expires ~1h; on 401, re-generate and retry once. ````