> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Learn how to authenticate with the Embedded Banking API.

All requests to the Embedded Banking API must be made over HTTPS. Most endpoints authenticate with a `Bearer` token generated using OAuth 2.0; browser-side application endpoints have an alternative scoped credential for that single application's flow. The [Quick reference](/embedded-banking/api/concepts/quick-reference) lists the token endpoints and grant types at a glance.

## Key concepts

* **Secure data transmission**: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
* **Bearer token authentication**: Most API requests include a `Bearer` token in the `Authorization` header. This is compliant with [OAuth 2.0](https://oauth.net/2/).
* **Application client secret**: Per-application endpoints additionally accept a short-lived scoped credential on the `X-Client-Secret` header, so browser-side surfaces can authenticate without holding a backend bearer token.

<Danger>
  Your client secret must be stored securely. It is not recoverable after creation — if lost, you
  must generate a new one.
</Danger>

## Available methods

<CardGroup cols={1}>
  <Card title="Client credentials" icon="key" href="/embedded-banking/guides/authentication/client-credentials" cta="Get started">
    Server-to-server authentication using the OAuth 2.0 `client_credentials` grant. Your backend
    exchanges a client ID and secret for a short-lived access token. Use this for all backend API
    calls.
  </Card>

  <Card title="User token" icon="user" href="/embedded-banking/guides/authentication/user-token" cta="Get started">
    Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for
    user-scoped API calls and generating widget tokens for embedded UI components.
  </Card>

  <Card title="Application client secret" icon="key" href="/embedded-banking/guides/authentication/application-client-secret" cta="Get started">
    Short-lived, single-application credential returned when an application is created. Use this
    from white-label and widget surfaces to authenticate browser-side application calls without
    exposing a backend bearer token.
  </Card>
</CardGroup>
