# Authentication

Visibly uses a standard OAuth 2.0 **Client Credentials** flow. You will perform a one-time exchange of your credentials for a temporary access token, which is then used for all subsequent API calls.

## Step 1: Obtain an Access Token

To retrieve a token, make an HTTP POST request to our token endpoint. You must include a Basic Authorization header containing your Base64 encoded credentials (`clientId:clientSecret`).

- Sandbox Endpoint: `https://sandbox-visibly.auth.us-east-1.amazoncognito.com/oauth2/token`
- Production Endpoint: `https://prod-visibly.auth.us-east-1.amazoncognito.com/oauth2/token`
- Header: `Authorization: Basic {{Base64(clientId:clientSecret)}}`
- Content-Type: `application/x-www-form-urlencoded`
- Body: `grant_type=client_credentials`


### Response Format

The server returns a JSON object containing your `access_token` and its expiration time (usually 3600 seconds).

Example response:


```
{  
  "access_token": "eyJhbGciOiJ...",   
  "expires_in": 3600,   
  "token_type": "Bearer"   
}
```

Note: Store the `expires_in` value to know when to request a new token. You should request a new token before the current one expires.

## Step 2: Authenticate Subsequent Requests

Once you have the `access_token`, include it in the header of every GraphQL request.

- Header Key: `Authorization`
- Header Value: `Bearer {{access_token}}`


### Implementation Checklist

- You can exchange your credentials for a valid `access_token`.
- You can successfully call the Visibly API by passing the token in the `Authorization` header.