# Authentication

### M2M Auth

{% hint style="warning" %}
To whitelist your domain and avoid CORS issues, follow the steps in [Configuring Allowed Domains (CORS)](https://docs.multiset.ai/basics/credentials/configuring-allowed-domains-cors)
{% endhint %}

{% hint style="info" %}
Expiry time of the token is 30 minutes from the time a fresh token is generated.
{% endhint %}

{% openapi src="<https://3163433004-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FokTDI7QVY04Zvb1pQ8Ry%2Fuploads%2FBMvPcN9sev4YAIryeJGH%2Fm2mauth.yaml?alt=media&token=a1bda066-906c-49fe-881c-0f4f7dc0c1d0>" path="/m2m/token" method="post" %}
[m2mauth.yaml](https://3163433004-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FokTDI7QVY04Zvb1pQ8Ry%2Fuploads%2FBMvPcN9sev4YAIryeJGH%2Fm2mauth.yaml?alt=media\&token=a1bda066-906c-49fe-881c-0f4f7dc0c1d0)
{% endopenapi %}

## Code Examples

### Browser (JavaScript)

For client-side applications like WebXR, you can generate tokens directly in the browser:

```javascript
async function generateToken(clientId, clientSecret) {
  const authorization = "Basic " + btoa(`${clientId}:${clientSecret}`);

  const response = await fetch("https://api.multiset.ai/v1/m2m/token", {
    method: "POST",
    headers: {
      Authorization: authorization,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      clientId,
      clientSecret,
    }),
  });

  const { token, expiresOn, error } = await response.json();

  if (error) {
    throw new Error(error);
  }

  return { token, expiresOn };
}

// Usage
const { token, expiresOn } = await generateToken('YOUR_CLIENT_ID', 'YOUR_CLIENT_SECRET');
```

{% hint style="warning" %}
Browser-based authentication exposes your credentials in client-side code. This is suitable for prototyping and demos, but for production applications consider using a backend proxy to keep credentials secure.
{% endhint %}

### Node.js (Backend)

For server-side applications:&#x20;

```javascript
async function generateToken(clientId, clientSecret) {
  const authorization = "Basic " + Buffer.from(`${clientId}:${clientSecret}`).toString('base64');

  const response = await fetch("https://api.multiset.ai/v1/m2m/token", {
    method: "POST",
    headers: {
      Authorization: authorization,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      clientId,
      clientSecret,
    }),
  });

  const { token, expiresOn, error } = await response.json();

  if (error) {
    throw new Error(error);
  }

  return { token, expiresOn };
}
```