***

## title: Authentication

All Rendr API requests must be authenticated using a Bearer token. Tokens are obtained via the Auth Token endpoint using OAuth2.

## Obtain a Token

```http
POST {domain}/{tenant_id}/auth/token
```

<Note>
  **`tenant_id`** is your account identifier provided by Rendr. It scopes all API requests to your brand or store.
</Note>

Tokens expire after **3600 seconds (1 hour)**. Your `client_id` and `client_secret` are provided by your Rendr implementation partner.

### Client Credentials Grant

Use this grant type for server-to-server integrations.

```json
{
    "grant_type": "client_credentials",
    "client_id": "{{client_id}}",
    "client_secret": "{{client_secret}}"
}
```

### Response

By default, the token response is wrapped in a `data` object:

```json
{
    "data": {
        "access_token": "eyJ...Rrlg",
        "expires_at": "2020-12-21T03:19:07.000Z"
    }
}
```

Alternatively, Rendr supports a configuration where the token is returned at the root level of the response, without the `data` wrapper:

```json
{
    "access_token": "eyJ...Rrlg",
    "expires_at": "2020-12-21T03:19:07.000Z"
}
```

<Note>
  The response format is determined by your account configuration. Contact your Rendr implementation partner to confirm which format applies to your integration.
</Note>

## Using the Token

Include the token in the `Authorization` header on every request:

```
Authorization: Bearer {{access_token}}
```

<Warning>
  Tokens expire after 1 hour. Implement token refresh logic in your integration to avoid `401 Unauthorized` errors.
</Warning>