Skip to main content

Environments

Pylon provides two separate environments, each requiring its own set of credentials:
EnvironmentAPI URLAuth URL
Productionhttps://pylon.mortgagehttps://auth.pylon.mortgage
Sandboxhttps://sandbox.pylon.mortgagehttps://auth.pylon.mortgage
Contact Pylon to obtain your client_id and client_secret for each environment. Never use sandbox credentials in production or vice versa.

Obtaining an access token

Exchange your client credentials for an access token by making a POST request to the auth endpoint: 
curl -X POST https://auth.pylon.mortgage/oauth/token \
  --header 'Content-Type: application/json' \
  --data '{
    "client_id": "${CLIENT_ID}",
    "client_secret": "${CLIENT_SECRET}",
    "audience": "https://pylon.mortgage",
    "grant_type": "client_credentials"
  }'
Replace audience with https://sandbox.pylon.mortgage when authenticating against the sandbox environment.

Response

A successful authentication request returns: 
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer"
}
Your access token expires after 24 hours. Cache and reuse your token until it expires to minimize authentication overhead.

Using your access token

Include your access token as a Bearer token in the Authorization header for all API requests: 
curl -X POST "https://pylon.mortgage/graphql" \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${ACCESS_TOKEN}" \
  --data '{"query": "your query here"}'

Authentication flow

The OAuth 2.0 Client Credentials flow works as follows:

Error handling

HTTP StatusErrorResolution
400Invalid requestCheck your request body format and required fields
401Invalid credentialsVerify your client_id and client_secret
403ForbiddenConfirm your credentials have access to the target environment