> ## Documentation Index
> Fetch the complete documentation index at: https://docs.refold.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Session Token

> In this guide, you'll create Session Token which makes it easier to manage you end customer's tokens.

Now that you have successfully created Linked Accounts for your end-users, it's time to create Session Tokens for your clients. The token creation should always happen server side.

**Session tokens** are used to protect your Refold API key and make it easier to manage your end customers’ tokens. When your client makes a request to the Refold APIs, it must include the session token in the request header. The Refold APIs will then use the session token to authenticate the request and grant access to the requested resources.

To generate Session Token for a Linked Account, you can use the Refold API or Refold's Client Side SDK.

### Refold API/SDK for Session Token

1. **Request** : In your server side code, make a POST Request to the `/session-token` endpoint or call the [**.getTokenForLinkedAccount()**](https://docs.gocobalt.io/sdks/server-side-sdks/nodejs-sdk#gettokenforlinkedaccount) method of the **NodeJS SDK**. The request should include the `linked-account_id` of the user for which the Session token is to be generated.

<Warning>
  The session token gets expired in 24 hours. Please make sure you generate a new token in every new session or within 24 hours.
</Warning>

<CodeGroup>
  ```JavaScript cURL theme={null}
      curl --request POST \
    --url https://api.gocobalt.io/api/v2/public/session-token \
    --header 'Content-Type: application/json' \
    --header 'x-api-key: <api-key>' \
    --data '{
    "linked_account_id": "<string>"
  }'
  ```

  ```JavaScript SDK theme={null}
  try{
      const data = await Client.getTokenForLinkedAccount({
          linked_account_id:"<Account Id of the user eg: example@someemail.com>"
      })
  }catch(error){
      //Catch any error
  }
  ```
</CodeGroup>

2. **Handle the response**: Refold will respond with a JSON Object containing the `token` if request was successful. Parse the JSON response body and extract the `token`.

```JavaScript Response theme={null}
{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiI2M2M5M2RhMGI0NmI3MjQzNzg1YTFlMTciLCJsaW5rZWRfYWNjb3VudF9pZCI6IjEyMzQ1Njc4IiwiZW52aXJvbm1lbnQiOiJ0ZXN0IiwiaWF0Ij"
}
```

3. **Store the Session token**: It is critical to store Session tokens securely, as they grant access to sensitive user data. Implement a secure storage solution to store Session tokens and do not log or expose tokens to your frontend application.

4. **Handle Errors**: If the `/session-token` endpoint returns a 500 error, your server-side code should handle it gracefully. The error is returned due to providing an incorrect linked\_account\_id while making the request.

<Check>
  After completing this step, you now have the Session Token for your Linked Accounts.
</Check>