Bearer token, generated using the OAuth 2.0 protocol.
Key concepts
- Secure data transmission: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
- Bearer token authentication: All API requests must include a
Bearertoken in theAuthorizationheader. This is compliant with OAuth 2.0. - Role-based access control (RBAC): Tesouro verifies whether the token bearer has permissions to perform the requested operation. See Permissions reference for the full list of permissions.
Your client secret must be stored securely. It is not recoverable after creation — if lost,
contact Tesouro to generate a new one.
Available methods
Client credentials
Server-to-server authentication using the OAuth 2.0
client_credentials grant. Your backend
exchanges a client ID and secret for a short-lived access token. Use this for all backend API
calls.User token
Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for
user-scoped API calls and generating widget tokens for embedded UI components.