Overview

Key concepts
Available methods

All requests to the FinOps API must be made over HTTPS and authenticated with a Bearer token, generated using the OAuth 2.0 protocol.

Key concepts

Secure data transmission: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
Bearer token authentication: All API requests must include a Bearer token in the Authorization header. This is compliant with OAuth 2.0.
Role-based access control (RBAC): Tesouro verifies whether the token bearer has permissions to perform the requested operation. See RBAC permissions for a full reference.

Your client secret must be stored securely. It is not recoverable after creation — if lost, contact Tesouro to generate a new one.

Available methods

Client credentials

Server-to-server authentication using the OAuth 2.0 client_credentials grant. Your backend exchanges a client ID and secret for a short-lived access token. Use this for all backend API calls.

User token

Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for user-scoped API calls and generating widget tokens for embedded UI components.

Bill pay Client credentials

⌘I

Getting started

Embedded components

Authentication

Manage organizations

Common objects

Accounts payable

Accounts receivable

Payments

Advanced

Accounting integrations

Expense management

Key concepts

Available methods

Client credentials

User token

Getting started

Embedded components

Authentication

Manage organizations

Common objects

Accounts payable

Accounts receivable

Payments

Advanced

Accounting integrations

Expense management

​Key concepts

​Available methods

Client credentials

User token

Key concepts

Available methods