Link copied to clipboard!


Our REST API enables your backend services to send us information we need to implement Cord, such as the identities of your users and organizations.

If your backend code uses Node.js, you can use our server API.


You have an app ID and a secret, which you can get in your Cord Console.

Never share your secret with anyone or include it in client code.

All REST API requests must include a valid server auth token in the HTTP Request headers: Authorization: Bearer <SERVER_AUTH_TOKEN>.


The server auth token is a JWT that must be generated server-side, with a short expiration (1 minute), containing the app ID in the payload app_id field, and signed with the secret using the HS512 (HMAC using SHA-512 hash) algorithm.

You can use two library options for generating the token, as seen below.

  • import jwt from "jsonwebtoken";
    const server_auth_token = jwt.sign({ app_id: "<APP_ID>" }, "<SECRET>", {
      expiresIn: "1 min",
      algorithm: "HS512",
  • Install our server-side library.

    npm install @cord-sdk/server

    import { getServerAuthToken } from "@cord-sdk/server";
    function generateCordServerAuthToken() {
      return getServerAuthToken(APP_ID, APP_SECRET);

You can now use the server auth token to make REST API calls.

In this section

On this page