# API Authentication
source: https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-data/api-basics/api-authentication/index.md

Endpoints can be separated in two categories for authentication:

### Endpoints requiring client id and client secret {#endpoints-requiring-client-id-and-client-secret}

These endpoints do not require a Payer to be onboarded, and can be called directly with the credentials from the [Developer Portal](https://devportal.openbanking.mastercard.com) under "Apps". These credentials must be supplied using [Basic HTTP authentication](https://datatracker.ietf.org/doc/html/rfc7617).
Note: No expiration of `Client Secrets` is enforced, though it is recommended that they are rotated regularly for security reasons.

### Endpoints requiring an access token {#endpoints-requiring-an-access-token}

These endpoints operate on a user. The token identifies a single user, and can be retrieved by following the [onboarding flow](https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-data/connect/connect-flow/index.md). The token is supplied by setting the `Authorization` header to `Bearer <access token>`.
Note: Tokens have an expiration time, and must be refreshed regularly.

Refer to the [Quick Start guide](https://developer.mastercard.com/open-finance-europe/documentation/unlicensed/aiia-data/quickstart/index.md) for detailed information on authentication.