# Issue action token

Source: https://business-api-docs.youhodler.com/docs/api/reference/action-tokens/action-tokens-create

Issues a short-lived action token that authorises a specific money-movement command. The token is bound to the caller and to the command digest of the requested action. Pass it in the `X-Action-Token` header when submitting the authorised command (e.g. `POST /withdrawals`). Service principals are exempt from this requirement.

## Request

**Request URL — POST**
```http
POST /action-tokens
```

**Request Body — application/json**
```json
{
  "action": "withdrawal.create",
  "withdrawal": {}
}
```

## Responses

**201 Resource created successfully**

Resource created successfully.

```json
{
  "bound_actor": "users/b8e2f1a0-4c3d-4e5f-9a1b-2c3d4e5f6a7b",
  "bound_command_digest": "sha256:abcdef1234567890",
  "expires_at": "2026-05-01T10:00:00Z",
  "token": "act_tok_abc123xyz"
}
```

**400 Invalid request payload**

Invalid request payload, query, or parameter shape.

```json
{
  "code": "invalid_request",
  "message": "Invalid request payload."
}
```

**401 Caller is not authenticated or the bearer token is invalid**

Caller is not authenticated or the bearer token is invalid.

```json
{
  "code": "unauthorized",
  "message": "Caller is not authenticated."
}
```

**403 Caller lacks the required capability or permitted scope**

Caller lacks the required capability or permitted scope.

```json
{
  "code": "forbidden_capability_scope",
  "message": "Caller lacks the required capability or scope."
}
```

**409 State conflict — the request cannot be applied to the current resource state**

State conflict — the request cannot be applied to the current resource state.

```json
{
  "code": "state_conflict",
  "message": "State conflict — the request cannot be applied to the current resource state."
}
```

**422 Operation is not admissible — it violates a business rule**

Operation is not admissible — it violates a business rule, policy constraint, or lifecycle precondition specific to this resource.

```json
{
  "code": "not_admissible",
  "details": {
    "reason": "not_admissible"
  },
  "message": "The operation is not admissible in the current state."
}
```

**429 Request rate limit exceeded**

Request rate limit exceeded. Retry after the delay indicated in the `details.retry_after_ms` field.

```json
{
  "code": "rate_limited",
  "details": {
    "retry_after_ms": 5000
  },
  "message": "Too many requests."
}
```

**502 Upstream service returned an unexpected error**

Upstream service returned an unexpected error.

```json
{
  "code": "upstream_error",
  "message": "An upstream service returned an unexpected error."
}
```

**503 Service is temporarily unavailable**

Service is temporarily unavailable; retry with backoff.

```json
{
  "code": "temporarily_unavailable",
  "message": "Service is temporarily unavailable; retry with backoff."
}
```