A
Atlar API Guide
Step 3 — Authentication — OAuth 2.0
3Step 3 of 10

Authentication — OAuth 2.0

Obtain an access token using Client Credentials.

OAuth 2.0 Client Credentials flow

Atlar supports the OAuth 2.0 Client Credentials grant type. You exchange your ACCESS_KEY and SECRET for a short-lived Bearer token via the token endpoint.

POST
/iam/v2beta/oauth2/token

Exchange credentials for an access token using Basic auth and the client_credentials grant type.

curl -X POST 'https://api.atlar.com/iam/v2beta/oauth2/token' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -u 'ACCESS_KEY:SECRET' \
  -d 'grant_type=client_credentials'

Try it: get a token

Click below to exchange your sandbox credentials for a live access token. The token timer will appear in the sidebar — click the refresh icon when it runs low to keep going.

Connect your credentials on the previous step first

Token response

A successful response returns a JWT access token that expires in 300 seconds (5 minutes):

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "token_type": "Bearer",
  "expires_in": 300
}

Using the token

Attach the access token as a Bearer token in the Authorization header of every subsequent API call. In Python, creating a reusable Session makes this effortless:

session = requests.Session()
session.headers.update({
    "Authorization": f"Bearer {access_token}",
    "Accept": "application/json",
})

# Now use session.get(), session.post(), etc.
resp = session.get("https://api.atlar.com/financial-data/v2/accounts")
⚠ī¸

Token expiry

Tokens expire every 5 minutes. In production code, implement automatic token refresh — request a new token before the current one expires. Never cache tokens beyond their expires_in window.

Alternative: HTTP Basic auth

For quick testing, the Atlar API also accepts HTTP Basic authentication directly on any endpoint — no token exchange needed:

# Simpler alternative: HTTP Basic auth on every request
curl 'https://api.atlar.com/financial-data/v2/accounts' \
  -u 'ACCESS_KEY:SECRET'
ℹī¸

When to use which

Basic auth is convenient for ad-hoc testing and curl commands. OAuth tokens are recommended for production integrations since they minimize how often secrets are transmitted over the wire.

🛡ī¸

Security Note

Never log or expose your access tokens. Treat them with the same care as your secret key. If you suspect a token has been compromised, rotate your programmatic access user credentials immediately.

← PreviousRoles & Programmatic AccessNext →Explore Your Accounts