# `TruelayerClient.Auth.Token`
[🔗](https://github.com/iamkanishka/truelayer_client/blob/v1.0.0/lib/truelayer_client/auth/token.ex#L1)

Represents a TrueLayer OAuth2 access token with expiry tracking.

## Token isolation

The `:token_type` field enforces strict isolation between Payments tokens
(used by Payments, Payouts, Mandates) and Data tokens (used by the Data API).
A Data token can never authorise a Payments API call — the `:token_type`
discriminant is checked before every request.

# `t`

```elixir
@type t() :: %TruelayerClient.Auth.Token{
  access_token: String.t(),
  expires_at: DateTime.t(),
  refresh_token: String.t() | nil,
  scopes: [String.t()],
  token_type: token_type()
}
```

# `token_type`

```elixir
@type token_type() :: :payments | :data
```

# `bearer_header`

```elixir
@spec bearer_header(t()) :: {String.t(), String.t()}
```

Returns an `{"authorization", "Bearer <token>"}` header tuple,
ready to merge into a request headers map.

# `expired?`

```elixir
@spec expired?(t()) :: boolean()
```

Returns `true` when this token is expired and should not be used.

The 30-second buffer applied in `from_response/2` ensures tokens are
refreshed before the server rejects them.

# `from_response`

```elixir
@spec from_response(map(), token_type()) :: t()
```

Build a `Token` from a raw OAuth2 response map.

Applies a 30-second safety buffer to `expires_at` to account for clock skew
and network latency between token acquisition and first use.

---

*Consult [api-reference.md](api-reference.md) for complete listing*