# Authentication (/data-api/api-reference/authentication)
Learn how to authenticate your API requests with Fiskil.
Fiskil uses client-based authentication to secure API access. To interact with our APIs, you'll need a `client_id` and `client_secret`. You can generate and manage these credentials directly from the Fiskil Developer Console.
Authentication Endpoint [#authentication-endpoint]
```
POST https://api.fiskil.com/v1/token
```
Authenticating Your API Requests [#authenticating-your-api-requests]
All API requests must include your `client_id` and `client_secret` in the request body.
**Important:** All requests must be made over HTTPS. Any attempts to connect via HTTP will be automatically rejected to ensure your data remains secure.
Request Parameters [#request-parameters]
| Parameter | Type | Required | Description |
| --------------- | ------ | -------- | ---------------------------------------------------------------- |
| `client_id` | string | Yes | The generated client\_id associated with your Team's API key |
| `client_secret` | string | Yes | The generated client\_secret associated with your Team's API key |
Example Request [#example-request]
```bash
curl --request POST \
--url https://api.fiskil.com/v1/token \
--header 'accept: application/json; charset=UTF-8' \
--header 'content-type: application/json; charset=UTF-8' \
--data '{
"client_id": "{client_id}",
"client_secret": "{client_secret}"
}'
```
```javascript
const response = await fetch('https://api.fiskil.com/v1/token', {
method: 'POST',
headers: {
'accept': 'application/json; charset=UTF-8',
'content-type': 'application/json; charset=UTF-8'
},
body: JSON.stringify({
client_id: '{client_id}',
client_secret: '{client_secret}'
})
});
const data = await response.json();
console.log(data.token);
```
```python
import requests
response = requests.post(
'https://api.fiskil.com/v1/token',
headers={
'accept': 'application/json; charset=UTF-8',
'content-type': 'application/json; charset=UTF-8'
},
json={
'client_id': '{client_id}',
'client_secret': '{client_secret}'
}
)
data = response.json()
print(data['token'])
```
Example Response [#example-response]
```json
{
"token": "yMWExMjJhLWEwZGQtNDVmYi1hMWY3LWMzODE4NmI3NmNyMWExMjJhLWEwZGQtNDVmYi1hMWY3LWMzODE4NmI3NmNjZCIsIlRva2VuVVVJRCI6ImUwMmUyMmFmLWUxMDMtNGU1OS1hNjViLWQyZGQwYWY5MGVhZSIsIktleUlEIjoiZmMwYjQyNGUtZWYxNC00MTA4LWIwMTQtZDRkOWI5ZjU4ZmVlIiwiZXhwIjoxNjIxMDgzNzg1LCJpYXQiOjE2MjEwODMxODVgd7QI7_O18P9gfCuEUnKjS0BJw4kb9ul_aFUPTWt0UcZTFwND_X4KcM7Es_eLSkKem7NM_63rhghzBofH7POsQ",
"expires_in": 900
}
```
Using the Access Token [#using-the-access-token]
Once authenticated, include the token in the `Authorization` header for all subsequent API requests:
```bash
curl --request GET \
--url https://api.fiskil.com/v1/end-users \
--header 'Authorization: Bearer {access_token}' \
--header 'accept: application/json; charset=UTF-8'
```
Keeping Your Credentials Secure [#keeping-your-credentials-secure]
Your `client_id` and `client_secret` are the keys to your account, so treat them with care. Here are a few best practices to help keep them safe:
* Never hardcode your credentials in your source code.
* Avoid storing them in public or private version control systems (like GitHub, even in private repos).
* Use environment variables or a secure secrets management system (like AWS Secrets Manager or HashiCorp Vault).
* Rotate your `client_secret` regularly and immediately if you suspect any compromise.
If your credentials are exposed or compromised, revoke them immediately from the Developer Console and generate new ones.
Token Expiration [#token-expiration]
Access tokens expire after the time specified in `expires_in` (in seconds). When your token expires, you'll need to re-authenticate to obtain a new one.
Typical token lifetime is **900 seconds (15 minutes)**.