> ## Documentation Index > Fetch the complete documentation index at: https://smartcar.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # API Authentication Overview > Learn how API Authentication works for server-to-server communication with the Smartcar API. API Authentication is an authentication method for server-to-server communication with Smartcar. Your application obtains a single application-level access token using the OAuth 2.0 Client Credentials flow. ## How It Works API Authentication uses the OAuth 2.0 Client Credentials flow, designed for server-to-server scenarios where no user interaction occurs. ```mermaid theme={null} sequenceDiagram participant App as Your Backend participant SC as Smartcar API App->>SC: Request access token (Client ID + Secret) SC-->>App: Access token App->>SC: API request + Authorization header SC-->>App: Vehicle data ``` Here's the flow: 1. **Authenticate**: Exchange your Client ID and Secret for an access token 2. **Make Requests**: Use the access token for all subsequent API calls The access token is valid for 1 hour. When it expires, request a new one from the token endpoint. ## Key Concepts ### API Credentials Your API credentials consist of: * **Client ID** — Public identifier for your application (safe to hardcode) * **Client Secret** — Private credential for authentication (must be stored securely) Treat your Client Secret like a password. Never commit it to version control or expose it in client-side code. ### User ID (userId) The `userId` is a unique identifier within the Smartcar platform representing a specific user's vehicle connection. You obtain this ID from the Connections API when a user grants access to their vehicle. ### sc-user-id Header The `sc-user-id` header is required when accessing vehicle signals and issuing commands. It tells the API which user's vehicle connection to operate on. You obtain the `userId` from the Connect redirect URL when a user completes the authorization flow. ```bash theme={null} GET https://vehicle.api.smartcar.com/v3/vehicles/{id}/signals Authorization: Bearer YOUR_ACCESS_TOKEN sc-user-id: {userId} ``` The header is also accepted on the `/connections` endpoint to filter results by user. ### Connections API The Connections API manages vehicle connections at the application level. With API Authentication, you use this API to: * Retrieve connected vehicle IDs (`userId` values) * Manage vehicle connections * Handle subscription events ## Security Considerations Never store your Client Secret in public clients, browser cookies, or plain text files. Your backend must securely store and manage API credentials. Follow these security best practices: * **Secure Storage** — Keep Client Secrets in environment variables, secrets management systems, or encrypted vaults * **Secret Rotation** — Rotate your Client Secret on a regular schedule or immediately if compromised * **Audit Trails** — Monitor your Smartcar Dashboard for API Credentials activity and audit logs * **Least Privilege** — Restrict API credential access to backend services that require it * **No Client-Side Usage** — Never use API credentials in mobile apps, web frontends, or any public-facing code Your Smartcar Dashboard provides visibility into credential usage and security events. Review audit logs regularly to detect unauthorized activity. ## What's Next Ready to implement API Authentication? * **[Setup Guide](/getting-started/how-to/api-authentication)** — Step-by-step setup and code examples * **[Migration Guide](/getting-started/how-to/m2m/migration-guide)** — Transition from per-vehicle tokens to API Authentication * **[FAQ](/getting-started/how-to/m2m/faq)** — Common questions and answers * **[Connections API Reference](/api-reference/list-connections)** — Complete endpoint documentation