Debricked API Resources

  • 13 January 2023
  • 3 replies


Debricked is an API first service, allowing for all actions inside the UI to be scripted. This allows you to integrate our service into your code, CI pipelines, and more.


All users with the admin role (or API access scope) have access to our open API. This is also the API used by Debricked CLI.


Important API Resources:


How do I authenticate?

The API uses JWT-tokens for authentication.


How do I generate JWT-tokens using the username and password?
In order to get a JWT-token you need to provide your username and password to:

Using curl, the call would look like this:

curl -d _username=YOUR_USERNAME -d _password=YOUR_PASSWORD

If successful, the response will contain your token:



Note: In case your username and/or password contains special characters, you need to url encode and surround it by quotes to ensure that it works as expected. See example:

curl --data-urlencode '' --data-urlencode '_password=password&'


How do I generate JWT-tokens using a long-lived access token?

If you have added an access token, you can use it to get a short-lived JWT token by sending the access token to:

Using curl the call would look like this:

curl -d refresh_token=YOUR_ACCESS_TOKEN


How do I use the tokens?

Keep in mind that the long lived access token, and the short-lived JWT-token are different tokens! You must always exchange your access token for a JWT-token to use the API.


The JWT-token has a lifetime of about an hour. If the JWT-token is invalid (e.g. if it has expired) a 401 status code will be returned. You should therefore implement a way of automatically getting a new token every time you receive a 401 status code from any API call.


When you have your token you need to pass it to the Authorization HTTP header with the value Bearer YOUR_VERY_LONG_TOKEN on each API call.


For example, using curl:

curl -H 'Authorization: Bearer YOUR_VERY_LONG_TOKEN'


API Rate limits

The following rate limits apply:

  • No account: 100 requests per hour (only applies for the Open Source Select API)
  • Free account: 500 requests per hour per code contributor (up to a maximum of 5000 requests per hour)
  • Premium/Enterprise account: 5000 requests per hour per code contributor

If you require a higher rate limit, please contact our sales team.

3 replies

I had problems getting a JWT token, I got 401 and “Invalid credentials.” 
I then realized my password contained a & 
Tried to encode it to %26 without success, so I ended up just changing it

Userlevel 4

@Jerker, hello! We tried to replicate the error and solution and it worked. Our team will reach out to you!


Hi @Jerker. We were now able to reproduce the error. I’ve discussed this a bit with our engineers and there are two things that are causing the issue you experienced.


Firstly, when using special characters in the username and/or the password, you have to change the “-d” before the affected parameter to “--data-urlencode” to perform url encoding when posting the data.


Secondly, ‘&’ is a bit special in this case as well, since it tells bash to run ‘curl’ in the background. Therefore you need to put quotes around the username and/or password as well. So in your case with a password containing a ‘&’, the resulting command would be:

curl -d _username=YOUR_USERNAME --data-urlencode '_password=YOUR_PASSWORD_WITH_&'

If you’re an admin, it’s also possible to generate an Access Token through the UI and use that instead when generating the JWT.

Thank you very much for reporting this, we will make sure to update this page to reflect this case, in case others have similar issues in the future.

EDIT: The article has now been updated