> ## Documentation Index
> Fetch the complete documentation index at: https://www.marqeta.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Marqeta's Core API enforces HTTP Basic Authentication on incoming requests. Learn about the four Marqeta platform authentication types and their corresponding authorization levels here.

export const EndpointCard = ({method = "API", title, children, href, arrow = true}) => {
  const METHOD_STYLES = {
    GET: {
      bg: "mint-bg-green-400/20 dark:mint-bg-green-400/20",
      text: "mint-text-green-700 dark:mint-text-green-400",
      border: "mint-border-green-300 dark:mint-border-green-700"
    },
    POST: {
      bg: "mint-bg-blue-400/20 dark:mint-bg-blue-400/20",
      text: "mint-text-blue-700 dark:mint-text-blue-400"
    },
    PUT: {
      bg: "mint-bg-yellow-400/20 dark:mint-bg-yellow-400/20",
      text: "mint-text-yellow-700 dark:mint-text-yellow-400"
    },
    PATCH: {
      bg: "mint-bg-orange-400/20 dark:mint-bg-orange-400/20",
      text: "mint-text-orange-700 dark:mint-text-orange-400"
    },
    DELETE: {
      bg: "mint-bg-red-400/20 dark:mint-bg-red-400/20",
      text: "mint-text-red-700 dark:mint-text-red-400"
    },
    API: {
      bg: "mint-bg-black",
      text: "mint-text-white"
    }
  };
  const MethodBadge = ({method}) => {
    const style = METHOD_STYLES[method?.toUpperCase()] ?? METHOD_STYLES.GET;
    return <span className={`
          method-pill rounded-lg font-semibold px-1.5 py-0.5 text-xs leading-5 ${style.bg} ${style.text}`}>
        {method?.toUpperCase()}
      </span>;
  };
  const content = <div className="group flex items-center gap-4 border border-gray-200 dark:border-gray-700 rounded-xl p-5 hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md transition-all cursor-pointer">
      {}
      <div className="shrink-0">
        <MethodBadge method={method} />
      </div>
      {}
      <div className="flex-1 min-w-0">
        <p className="font-semibold text-gray-900 dark:text-white text-sm leading-snug">{title}</p>
        {children && <p className="mt-1 text-sm text-gray-500 dark:text-gray-400 line-clamp-2">{children}</p>}
      </div>
    </div>;
  if (!href) return content;
  return <a href={href} className="block no-underline border-b-0 mb-2">
      {content}
    </a>;
};

Marqeta’s Core API enforces HTTP Basic Authentication on incoming requests. This mechanism utilizes the standard `Authorization` field in the header for holding the credentials.

<h2 id="_authentication_types">
  Authentication types
</h2>

All requests must provide the application token as the username. This token identifies the application that sent the request. The password can be either unspecified, an admin access token, a user access token, or a single-use access token. Depending on the password value provided, the Marqeta platform assigns one of four authentication types to the request. Each authentication type corresponds to an authorization level that controls the request’s access to API endpoints and data.

The following table summarizes the Marqeta platform authentication types and their corresponding authorization levels.

| Authentication Type and Authorization Level                                                                                          | Application Token Required as Username | Admin Access Token Required as Password | User Access Token Required as Password | Single-Use Access Token Required as Password |
| ------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------- | --------------------------------------- | -------------------------------------- | -------------------------------------------- |
| **Unauthenticated**<br /><br /><br />Authorizes access to public API endpoints and data.                                             | ✓                                      |                                         |                                        |                                              |
| **Admin**<br /><br /><br />Authorizes access to all API endpoints and data associated with the program.                              | ✓                                      | ✓                                       |                                        |                                              |
| **User**<br /><br /><br />Authorizes access to all API endpoints and data associated with the user.                                  | ✓                                      |                                         | ✓                                      |                                              |
| **User single-use**<br /><br /><br />Authorizes a single request with access to all API endpoints and data associated with the user. | ✓                                      |                                         |                                        | ✓                                            |
| **Client access**<br /><br /><br />Displays a virtual card’s sensitive data.                                                         | ✓                                      |                                         |                                        | ✓                                            |

<h2 id="_obtaining_tokens">
  Obtaining tokens
</h2>

Marqeta distributes application tokens and admin access tokens directly to customers. Both application and admin access tokens are static, meaning that you can reuse them indefinitely.

You can also use Marqeta’s self-service credential API to create, retrieve, and delete admin access tokens. You can create up to 20 new admin access tokens per application. For more information, see the [Self-Service Credentials](/core-api/self-service-credentials/) page.

User access tokens and single-use access tokens are dynamically allocated by the Core API:

* A `POST` request to the `/users/auth/login` endpoint returns a user access token that is valid until the user is logged out or times out.

* A `POST` request to the `/users/auth/onetime` endpoint returns a single-use access token for a specified user that is valid for a single request.

* A `POST` request to the `/users/auth/clientaccesstoken` endpoint returns an access token for a specified card that is valid for a single request.

See the [Log in user](/core-api/users/#post_users_auth_login), [Create single-use token](/core-api/users/#post_users_auth_onetime), and [Create client access token](/core-api/users/#post_users_auth_clientaccesstoken) sections of the [Users](/core-api/users/) API reference page for more information about these endpoints.

<h2 id="_expiration_and_throttling">
  Expiration and throttling
</h2>

Application tokens never expire. Admin access tokens distributed directly by Marqeta also never expire. However, if you are using the self-service credential API to create admin access tokens, those admin access tokens will expire according to your configuration. For more information, see the [Self-Service Credentials](/core-api/self-service-credentials/) page.

User access tokens and user single-access tokens expire after two hours (120 minutes). Client access tokens expire after 5 minutes.

Requesting a user access, user single-access, or a client access token using incorrect credentials returns an HTTP `401` status code. A throttling mechanism limits token requests to three within any 60 consecutive seconds. Throttled token requests also return an HTTP `401` status code.

<h2 id="_curl_example">
  cURL example
</h2>

This example illustrates a call (in cURL format) to retrieve account balances for a user. The user’s ID token is `bigbird_token`. The user’s current user access token is `user_access_token`. The application token is `application_token`.

```sh cURL lines wrap theme={null}
curl -X GET --user application_token:user_access_token \
-H "Content-Type: application/json" \
"https://sandbox-api.marqeta.com/v3/users/my_user_01/balances"
```


## Related topics

- [Authentication with the DiVA API](/docs/diva-api/authentication.md)
- [Updating Multi-Factor Authentication in the Marqeta Dashboard](/docs/developer-guides/mq-eu-mfa-in-mqd.md)
- [3D Secure Risk Engine Schema](/docs/developer-guides/3ds-risk-engine-schema.md)
- [About 3D Secure](/docs/developer-guides/about-3d-secure.md)
- [3D Secure Setup](/docs/developer-guides/3ds-setup.md)
