Bearer token generated using OAuth 2.0; browser-side application endpoints have an alternative scoped credential for that single application’s flow. The Quick reference lists the token endpoints and grant types at a glance.
Key concepts
- Secure data transmission: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
- Bearer token authentication: Most API requests include a
Bearertoken in theAuthorizationheader. This is compliant with OAuth 2.0. - Application client secret: Per-application endpoints additionally accept a short-lived scoped credential on the
X-Client-Secretheader, so browser-side surfaces can authenticate without holding a backend bearer token.
Your client secret must be stored securely. It is not recoverable after creation — if lost, you
must generate a new one.
Available methods
Client credentials
Server-to-server authentication using the OAuth 2.0
client_credentials grant. Your backend
exchanges a client ID and secret for a short-lived access token. Use this for all backend API
calls.User token
Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for
user-scoped API calls and generating widget tokens for embedded UI components.
Application client secret
Short-lived, single-application credential returned when an application is created. Use this
from white-label and widget surfaces to authenticate browser-side application calls without
exposing a backend bearer token.