Skip to main content
There are multiple token types that you will encounter. This page covers when each token should be used, how to acquire them, and other information related to authorization. The types of API tokens are:
  • Partner Token
  • Firm Token
  • Payment Session Token
  • Onboarding Token
To use an API token, add it to your request as the x-api-key header.
Our API tokens are prefixed with some human-readable information. For example, a Partner Token may start with p_secret_sandbox_. The p indicates it’s a Partner Token, secret indicates it’s a secret and should be treated as one, and sandbox indicates that this is for the sandbox environment.

Partner Token

Partner tokens are generated through the Confido Legal partner portal under settings. If you do not have a partner account, please reach out to and we will get you set up.
Partner tokens should never be shared with the frontend. Keep them secured on your server.
The primary use of a Partner Token is to create Firms and Firm Tokens. Below is an example partner token. 
p_secret_sandbox_85f5a425**************afb6b1a6

Firm Token

Firm tokens are generated with the createFirmApiToken mutation or the createFirm mutation. This request can be made using a Partner API Token.
Firm tokens should never be shared with the frontend. Keep them secured on your server.
Firm tokens are used for most requests to the Confido Legal API. Some common examples are addPaymentLink, addClient, and addMatter. They are also used to create Payment Session Tokens for hosted fields. Below is an example firm token. 
f_secret_sandbox_92828393***************assdj3

Multiple firm tokens and lifecycle

You can create more than one Firm API token for the same Firm (for example via createFirmApiToken, or when each user completes Connect). Tokens are long-lived: they do not expire on a TTL. There is no refresh or rotate endpoint—create a new token when you need to rotate credentials, then revoke the old token in the Confido Legal app under Settings → API Tokens (or stop using it). Revoking a token causes the API to reject it immediately. Firm API tokens are not scoped (e.g. there is no read-only vs full-access token type). Any valid Firm API token can perform the same Firm-level API operations the product allows for server-side integration. We do not send a webhook when a Firm API token is created or revoked. If a token stops working, handle 401/403 responses by checking whether the token was revoked in the portal.
Sandbox and production use different tokens. Partner and Firm tokens are tied to the environment where they were issued (see the sandbox segment in the token prefix).

Payment Session Token

Payment Session Tokens are generated with the createPaymentToken mutation. This request can only be made with a Firm API token. Payment Session Tokens are a one-time-use token that should be used to initialize the Confido Legal JavaScript SDK on your frontend. These tokens are meant to be shared with your frontend code. 
pay_public_sandbox_31319asd**********123alskdow
For more about Payment Sessions see the hosted fields section.

Onboarding Token

Onboarding Tokens are generated with the createOnboardingToken mutation. This request can only be made with a Firm API token. Onboarding Tokens are short-term tokens that should be used to initialize the Confido Legal JavaScript SDK on your frontend. These tokens are meant to be shared with your frontend code. 
onboarding_public_sandbox_31319asd**********123alskdow
For more about Onboarding see the hosted fields section.