> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onconsul.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorization

Every Consul API request is authenticated by sending a credential in
the `Authorization` header using the `Bearer` scheme. Consul determines
the credential type from its prefix — there is no separate auth scheme
per credential.

```shell theme={"system"}
curl https://api.onconsul.com/v1/balance \
  -H "Authorization: Bearer $CONSUL_CREDENTIAL"
```

### API key

A long-lived API key issued from the Consul dashboard. Cleartexts are
prefixed with `csl_live_…`. API keys are scoped at creation time to a
set of resource-scoped permissions (e.g. `balance:read`,
`payouts:write`). Requests that exceed the key's scope are rejected
with `403 forbidden`.

You can provision and revoke API keys from the **Developers** section
of the [dashboard](https://dashboard.onconsul.com). The cleartext key
is shown exactly once at creation time — Consul stores only an
HMAC-SHA256 hash and cannot recover the original value if you lose it.

```shell theme={"system"}
curl https://api.onconsul.com/v1/balance \
  -H "Authorization: Bearer $CONSUL_API_KEY"
```

### OAuth access token

For third-party apps acting on behalf of a Consul user, authenticate
with a token obtained through the WorkOS Connect authorization code
flow at `auth.onconsul.com`.

```shell theme={"system"}
curl https://api.onconsul.com/v1/balance \
  -H "Authorization: Bearer $OAUTH_ACCESS_TOKEN"
```

OAuth tokens carry the same kind of resource-scoped permissions as
API keys — but the user picks them on the consent screen rather than
the developer picking them at key-creation time.

See the [OAuth Connections](/guides/oauth) guide for the full flow,
including obtaining and refreshing access tokens.
