Authentication Basics


The Taboola Backstage API uses OAuth2 for authentication.

The concept is simple:

  1. Using your client_id and client_secret, get an Access Token from the Authorization Server
  2. Include the Access Token in the header of each API request.

Client ID and Client Secret

When requesting an Access Token you must include your client_id and client_secret. This enables the Authorization Server to identify the user account requesting authorization.


Ask your Taboola Account Manager to provide you with aclient_id and client_secret.


Your client_secret is confidential - keep it secret.

The Access Token

After obtaining an Access Token, include it in the Authorization header of each API request. (The Access Token identifies who you are - and your set of permissions.)

GET /backstage/api/1.0/{account_id}/campaigns/ HTTP/1.1
Authorization: Bearer {access_token}
Content-Type: application/json


Replace {access_token} with your actual token.

An Access Token is valid for 12 hours. Once it expires, you will need to initiate a new authentication flow. (In certain special cases, you can submit a Refresh Token instead.)


401 Unauthorized

Either of the following will result in a 401 Unauthorized response:

  1. An API request that is missing an Authorization header.
  2. An invalid or expired Access Token.