> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mnai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Client-server authentication with JWT

> Use the Meridian access token as a bearer token after your backend has minted it with partner HMAC authentication.

The Meridian JWT is the access token returned by `POST /v1/auth/token`.

After your backend mints that token, your client or backend can send it on later Meridian Accounts requests by using:

```http theme={null}
Authorization: Bearer {token}
```

## Intended flow

JWT authentication is the second step in the Meridian Accounts authentication model:

1. Your backend authenticates to Meridian with partner HMAC credentials.
2. Meridian returns an access token for the target user.
3. Your client or backend uses that JWT on later user-scoped API requests.

Use this flow when you need to call Meridian on behalf of a specific user after you have already established that user context.

## What JWT-authenticated requests need

JWT-authenticated requests use the bearer token in the `Authorization` header.

They do not need partner authentication headers such as:

* `X-Meridian-Api-Key`
* `X-Meridian-Program-Id`
* `X-Meridian-Timestamp`
* `X-Meridian-Signature`
* `X-Meridian-User-Id`

The access token already carries the user context for the request.

## Typical JWT use cases

Use JWT bearer authentication for user-scoped operations such as:

* checking the current enrollment with `GET /v1/enrollment`
* reading information requests and submitting onboarding data
* listing balances
* reading transaction history

For frontend-facing account experiences, JWT bearer authentication is the recommended model because it avoids exposing partner HMAC credentials to the client.

## Refreshing tokens

When the current access token expires, your backend can exchange a previously issued refresh token by calling `POST /v1/auth/token` with the `refresh_token` grant.

Meridian derives the user from the refresh token in that flow, so the request does not depend on a new client-side HMAC signature. Keep the refresh-token exchange on the backend together with your other partner-authenticated token management logic.

## Security notes

* never mint Meridian JWTs directly from a browser or mobile client
* keep the Meridian API Secret on the backend only
* issue or refresh access tokens from trusted server-side code, then pass the resulting bearer token to the component that needs to call Meridian

## Related guides

* [Authentication overview](/products/meridian-accounts/guides/authentication-overview)
* [Server-to-server authentication with HMAC](/products/meridian-accounts/guides/server-to-server-authentication-with-hmac)
* [Displaying account information](/products/meridian-accounts/guides/displaying-account-information)
