# Authentication

{% hint style="warning" %}
Make sure you have an active license & access to the API (free trial or beta version)
{% endhint %}

### Overview

Our API uses OAuth2 Client Credentials authentication to allow secure access for machine-to-machine interactions. This guide will help you obtain an access token and use it to authenticate requests.

### Authentication Endpoint

To obtain an access token, send a `POST` request to the token endpoint:

```bash
POST https://sso.ecoinvent.org/realms/ecoinvent/protocol/openid-connect/token
```

#### Request Parameters

The request must include the following parameters in the body as `application/x-www-form-urlencoded`:

| Parameter       | Type   | Description                 |
| --------------- | ------ | --------------------------- |
| `grant_type`    | string | `client_credentials`        |
| `client_id`     | string | Your assigned client ID     |
| `client_secret` | string | Your assigned client secret |

{% hint style="info" %}
You can find your client\_id and client\_secret for both free trial and beta version [here](https://accounts.ecoinvent.org/api)
{% endhint %}

#### Example Request (cURL)

```bash
curl -X POST https://sso.ecoinvent.org/realms/ecoinvent/protocol/openid-connect/token \
     -d "grant_type=client_credentials" \
     -d "client_id=your_client_id" \
     -d "client_secret=your_client_secret" \
     -H "Content-Type: application/x-www-form-urlencoded"
```

### Response

A successful request returns a JSON response containing the access token:

```json
{
    "access_token": "your_access_token",
    "expires_in": 3600,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "9ee34d1b-1f9d-4019-bac8-11c32eaff894",
}
```

{% hint style="info" %}
Make sure your request headers include `Content-Type: application/x-www-form-urlencoded`
{% endhint %}

### Using the Access Token

Include the access token in the `Authorization` header of your API requests:

#### Example Request

```bash
curl -X GET https://api.ecoinvent.org/v0/versions \
     -H "Authorization: Bearer your_access_token"
```

### Token Expiry

Tokens expire after `expires_in` seconds (e.g., 3600 seconds = 1 hour). Request a new token when it expires.

### Error Handling

If authentication fails, the API returns an error response:

```json
{
    "error": "invalid_client",
    "error_description": "Invalid client or Invalid client credentials"
}
```

Ensure that your `client_id` and `client_secret` are correct.

### Security Best Practices

* Keep your `client_id` and `client_secret` secure.
* Do not expose credentials in client-side applications.
* Rotate credentials periodically.

For further assistance, contact our [support team](https://ecoinvent.org/contact-us/).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.api.ecoinvent.org/getting-started/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.