---
layout: default
navsection: api
navmenu: Concepts
title: Authentication

...



Every API request (except the authentication API itself) includes an @access_token@ parameter.

table(table table-bordered table-condensed).
|Name|Type|Description|
|access_token|string|Access token returned by OAuth 2.0 authorization procedure|

Many resources contain "actor" attributes like @modified_by@.  An @access_token@ uniquely identifies a client (application or project) and an end-user.

table(table table-bordered table-condensed).
|Name|Type|Description|
|modified_by_client_uuid|string|ID of API client|
|modified_by_user_uuid|string|ID of authenticated user|

h2. Authorizing a client application

The Arvados API uses the "OAuth 2.0 protocol":http://tools.ietf.org/html/draft-ietf-oauth-v2-22 for authentication and authorization.

h3. Register your client application

Before an application can run on an Arvados cloud, it needs to be registered with the cloud. 

That registration yields a @client_id@ and a @client_secret@. 

h3. Obtain an access code

A client obtains an access code by means of a standard Oauth 2.0 flow. The access code is granted to it by an authorized user. The client requests one or more scopes, which translate to a set of requested permissions (reading, writing, etc). Unless the access is to be short-lived, a refresh token is also granted to the application. 

h3. Refresh the access code (optional)

Access codes have a limited lifetime. A refresh token allows an application to request a new access token.