> ## Documentation Index
> Fetch the complete documentation index at: https://docs.paxos.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure API Credentials

> Create and update an OAuth2 client.

Most API endpoints require authentication with a **Client ID** and **Secret**. Each **Client ID** has a specific set of allowed scopes (**Permissions**) to access API endpoints. Scopes allowed on an API client may be updated at any time in the Dashboard **Admin > API Management** section.

<Tip>
  Contact your [Entity Manager](guides/dashboard/roles#entity-manager) if you need permissions to manage API credentials.
</Tip>

When setting scopes, Paxos recommends following the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) and only allow scopes required by a specific application. Scopes for each endpoint are listed in the **Authorizations** section in the [API Reference docs](/api-reference/introduction). The [Market Data](/api-reference/endpoints/market-data) and most [Pricing](/api-reference/endpoints/pricing) endpoints do not require authorization.

Once the credentials are activated, most users find success using one of the libraries on the [OAuth2 website](https://oauth.net/code) for authentication.

> To add or modify API Credentials, you'll need a [Developer](/guides/dashboard/roles#developer) or other role with appropriate permissions. Contact your [Entity Manager](/guides/dashboard/roles#entity-manager) for help.

## Add API Credentials

1. Log in to your Dashboard account and go to [API Management](https://dashboard.paxos.com/admin/api).
2. Click **API Credentials**.
3. Create a **Label** for your API credentials.
4. Select the **Scopes** for your **Client ID**. For example, the following scopes (space delimited) should be adequate to [convert](/guides/dashboard/convert) Paxos-issued stablecoins:

```shell theme={null}
orchestration:read_orchestration
orchestration:write_orchestration
orchestration:read_orchestration_rule
orchestration:write_orchestration_rule
funding:read_profile
funding:write_profile
transfer:read_deposit_address
transfer:read_transfer
transfer:read_fiat_account
transfer:read_fiat_deposit_instructions
transfer:write_internal_transfer
transfer:write_crypto_withdrawal
transfer:write_deposit_address
transfer:write_fiat_account
transfer:write_fiat_deposit_instructions
transfer:write_fiat_withdrawal
```

1. Optional: Add **Allowable IP** addresses. If you have a single IP address, you can configure a CIDR entry to specify a single IP with 32 fixed bits by appending `/32` to the address. For example, using `000.000.0.000/32` will allow only the IP address `000.000.0.000`.
2. Optional: Enable **Request Signing**.
3. Click **Create Credentials**.
4. Copy the **Client ID** and **Client Secret** and store them in a safe place. The secret will not be displayed in the UI again, and it will have to be reset if forgotten.

## Update or Delete Credentials

To make changes to an existing client, select it from **API Credentials** and click either **Edit API Credentials** or **Delete API Credentials**.