Authentication
Most API requests require an access token.
Your integration gets an access token by exchanging API credentials at the authentication endpoint. It then sends that token as a bearer token on subsequent requests.
How authentication works
Authentication separates long-lived credentials from short-lived access tokens.
API credentials identify the account or user your integration acts as. Access tokens authorise individual API requests and expire after a limited time.
To authenticate:
- create or obtain API credentials;
- exchange those credentials at
POST /oauth/token; and - use the returned
access_tokenin theAuthorizationheader.
You need permission to create credentials in the dashboard, or you need credentials issued by someone with the right access.
Choose a credential type
For most backend integrations and automation workloads, use account credentials. They are scoped to an account and are the safest default when your integration does not need to act as a specific user.
Use user credentials when API actions need to be attributed to a user, or when the workflow needs the organisations and accounts available to that user.
Token exchange
Both credential types use the same authentication endpoint.
Account credentials use grant_type: "client_credentials" with a client_id and client_secret.
User credentials use grant_type: "user_token" with a user token and secret.
See Account credentials or User credentials for the exact request examples.

