Skip to main content
All requests to the FinOps API must be made over HTTPS and authenticated with a Bearer token, generated using the OAuth 2.0 protocol.

Key concepts

  • Secure data transmission: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
  • Bearer token authentication: All API requests must include a Bearer token in the Authorization header. This is compliant with OAuth 2.0.
  • Role-based access control (RBAC): Tesouro verifies whether the token bearer has permissions to perform the requested operation. See Permissions reference for the full list of permissions.
Your client secret must be stored securely. It is not recoverable after creation — if lost, contact Tesouro to generate a new one.

Available methods

Client credentials

Server-to-server authentication using the OAuth 2.0 client_credentials grant. Your backend exchanges a client ID and secret for a short-lived access token. Use this for all backend API calls.

User token

Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for user-scoped API calls and generating widget tokens for embedded UI components.