> ## Documentation Index
> Fetch the complete documentation index at: https://developers.taboola.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication Basics

## oAuth2

The Taboola Backstage API uses <a href="https://tools.ietf.org/html/rfc6749" target="_blank">OAuth2</a> for authentication.

The concept is simple:

1. Using your `client_id` and `client_secret`, get an Access Token from the Authorization Server
2. Include the Access Token in the header of *each* API request.

## Client ID and Client Secret

When requesting an Access Token you must include your `client_id` and `client_secret`. This enables the Authorization Server to identify *the user account* requesting authorization.

> 📘
>
> Ask your **Taboola Account Manager** to provide you with a`client_id` and `client_secret`.

> 🚧
>
> Your `client_secret` is confidential - *keep it secret*.

## The Access Token

After obtaining an Access Token, include it in the `Authorization` header of *each* API request. (The Access Token identifies who you are - and your set of permissions.)

```http Sample request
GET /backstage/api/1.0/{account_id}/campaigns/ HTTP/1.1
Host: backstage.taboola.com
Authorization: Bearer {access_token}
Content-Type: application/json
```

> 📘
>
> Replace `{access_token}` with your actual token.

An Access Token is valid for **12 hours**.  Once it expires, you will need to initiate a *new* authentication flow.

> 🚧 401 Unauthorized
>
> *Either* of the following will result in a **401 Unauthorized** response:
>
> 1. An API request that is **missing** an `Authorization` header.
> 2. An **invalid** or **expired** Access Token.