---
title: "Authentication"
slug: authentication
url: https://invertbio.com/docs/api/authentication
---

# Authentication

Tokens for Invert's external API are issued through Auth0. The same authentication flow applies to both the [Core](/docs/api/core) and [DSP](/docs/api/dsp) views.

### Receive a token from Auth0

In order to get a valid token use the following command:

```bash
curl --request POST \
  --url https://invert.eu.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id": "<CLIENT_ID>",
    "client_secret": "<CLIENT_SECRET>",
    "audience": "https://api.invertbio.com/",
    "grant_type": "client_credentials"
  }'
```

`CLIENT_ID` and `CLIENT_SECRET` will be shared with you separately. The token returned by Auth0 will be valid for **24 hours** and will need to be sent along with each SQL request.

The response will look like this:

```json
{
  "access_token": "<ACCESS_TOKEN>",
  "expires_in": 86400,
  "token_type": "Bearer"
}
```

### Using the token

Include the token in the `Authorization` header of every request:

```bash
curl -H "Authorization: Bearer <ACCESS_TOKEN>" \
 -H "Content-Type: application/json" \
 -X POST \
 -d '{"statement": "SELECT * FROM v_bioprocesses LIMIT 1"}' \
 https://api.invertbio.com/external/v1/statements/
```

If the token is invalid or expired, the response will be:

```json
{
  "message": "Unauthorized"
}
```

Get a new Auth0 token and retry.