> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Learn how to authenticate with the FinOps API.

All requests to the FinOps API must be made over HTTPS and authenticated with a `Bearer` token, generated using the OAuth 2.0 protocol.

## Key concepts

* **Secure data transmission**: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
* **Bearer token authentication**: All API requests must include a `Bearer` token in the `Authorization` header. This is compliant with [OAuth 2.0](https://oauth.net/2/).
* **Role-based access control (RBAC)**: Tesouro verifies whether the token bearer has permissions to perform the requested operation. See [Permissions reference](/finops/guides/roles/permissions) for the full list of permissions.

<Danger>
  Your client secret must be stored securely. It is not recoverable after creation — if lost,
  contact Tesouro to generate a new one.
</Danger>

## Available methods

<CardGroup cols={1}>
  <Card title="Client credentials" icon="key" href="/finops/guides/authentication/client-credentials" cta="Get started">
    Server-to-server authentication using the OAuth 2.0 `client_credentials` grant. Your backend
    exchanges a client ID and secret for a short-lived access token. Use this for all backend API
    calls.
  </Card>

  <Card title="User token" icon="user" href="/finops/guides/authentication/user-token" cta="Get started">
    Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for
    user-scoped API calls and generating widget tokens for embedded UI components.
  </Card>
</CardGroup>
