Skip to main content
This page is for Authlete 3.0. For 2.x, see Authentication (2.x) — 2.x uses API key and API secret (HTTP Basic auth) rather than Bearer tokens.

Authentication

All API endpoints are secured using Bearer token authentication. You must include an access token in every request: 
Authorization: Bearer YOUR_ACCESS_TOKEN
Authlete supports two types of access tokens: Service Access Token (scoped to a single service) and Organization Token (scoped to your entire organization). The sections below explain how to get each and when to use them.

Getting your access token

Service Access Token

Scoped to a single service (one authorization server instance). Use it for runtime APIs (authorization, token, introspection) and for managing that service’s clients and settings. How to get a Service Access Token
  1. Log in to the Authlete Console.
  2. Open the Organization that owns the service, then open the Service you want a token for.
  3. Go to ServiceSettingsAccess Tokens.
  4. Click Create Token and select the permissions you need (e.g. service.read, client.write).
  5. Copy the generated token immediately — it is shown only once. Store it in a secure place (e.g. environment variables or a secret manager).
Service Access Token creation Use this token in the Authorization: Bearer <token> header when calling Authlete APIs for that service.

Organization Token

Scoped to your entire organization. Use it for organization-level management and for APIs that operate across multiple services (e.g. automation, CI/CD, Terraform). How to get an Organization Token
  1. Log in to the Authlete Console.
  2. Open the Organization you want a token for (or create one first).
  3. Go to Organization SettingsAccess Tokens.
  4. Click Create Token and select the org-level permissions you need.
  5. Copy the generated token immediately — it is shown only once. Store it securely.
Organization Settings - Access Tokens Use this token in the Authorization: Bearer <token> header when calling Authlete APIs that require organization-level access.
Important: Tokens inherit the permissions of the account that creates them. Service tokens can only access their specific service. Organization tokens can access all services within your organization. Choose the token type and permissions that match what your application needs.

Which token to use

Use caseToken type
OAuth/OIDC runtime (authorization, token, introspection)Service Access Token
Managing a single service (clients, endpoints, config)Service Access Token
Managing the organization or multiple servicesOrganization Token
Automation / CI/CD that creates or updates servicesOrganization Token

Token security best practices

  • Never commit tokens to version control — Store them in environment variables or a secure secret manager (e.g. AWS Secrets Manager, HashiCorp Vault).
  • Rotate regularly — Generate new tokens periodically and revoke old ones from the console.
  • Scope appropriately — Request only the permissions your application needs when creating a token.
  • Revoke unused tokens — Delete tokens you are no longer using from the console.

Quick test

Verify your token works with a simple API call: 
curl -X GET "https://us.authlete.com/api/service/get/list" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Use a Service Access Token for service-scoped endpoints or an Organization Token for org-scoped endpoints. Replace us.authlete.com with your cluster host (e.g. eu.authlete.com, jp.authlete.com) if you use a different region.

Next steps