> ## Documentation Index > Fetch the complete documentation index at: https://docs.paxos.com/llms.txt > Use this file to discover all available pages before exploring further. # Authenticate > Generate an authentication token. The APIs use industry standard OAuth2 for authentication. Most users find success with one of the libraries on the [OAuth2 website](https://oauth.net/code). The following URLs can be used when using an off-the-shelf OAuth2 library: | Environment | Root URL | Full Path | | ----------- | ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- | | Sandbox | [https://oauth.sandbox.paxos.com](https://oauth.sandbox.paxos.com) | [https://oauth.sandbox.paxos.com/oauth2/token](https://oauth.sandbox.paxos.com/oauth2/token) | | Production | [https://oauth.paxos.com](https://oauth.paxos.com) | [https://oauth.paxos.com/oauth2/token](https://oauth.paxos.com/oauth2/token) | ## ➊ Add Scopes (Client Permissions) When authenticating, include the scopes (**Client Permissions**) necessary for the client to complete the intended actions. > Scopes for each endpoint are listed in the **Authorizations** section in the [API Reference docs](/api-reference). > The [Market Data](/api-reference/endpoints/market-data) and most [Pricing](/api-reference/endpoints/pricing) endpoints do not require authorization. For example, the following scopes (space delimited) should provide sufficient permissions to [mint](/guides/developer/orchestrations/mint), [redeem](/guides/developer/orchestrations/redeem), and [convert](/guides/developer/orchestrations/convert) Paxos-issued stablecoins: ```shell theme={null} orchestration:read_orchestration orchestration:write_orchestration orchestration:read_orchestration_rule orchestration:write_orchestration_rule funding:read_profile funding:write_profile transfer:read_deposit_address transfer:read_transfer transfer:read_fiat_account transfer:read_fiat_deposit_instructions transfer:write_internal_transfer transfer:write_crypto_withdrawal transfer:write_deposit_address transfer:write_fiat_account transfer:write_fiat_deposit_instructions transfer:write_fiat_withdrawal ``` ## ➋ Get Access Token Every endpoint that requires a **Scope** must be accompanied by an "Authorization"` header with a value that follows the \"Bearer {access_token}"` schema. ### Sandbox To authenticate with [https://oauth.sandbox.paxos.com/oauth2/token](https://oauth.sandbox.paxos.com/oauth2/token), use your [credentials](/guides/developer/credentials) to create a bearer token. The authentication request must include `{client_id}` (**Client ID**) and `{client_secret}` (**Client Secret**) configured for your [API credentials](/guides/developer/credentials). Include sufficient `{client_scopes}` (**Client Permissions**). ```shell highlight={5} theme={null} curl --location 'https://oauth.sandbox.paxos.com/oauth2/token' \ --form grant_type=client_credentials \ --form client_id={client_id} \ --form client_secret={client_secret} \ --form scope='{client_scopes}' ``` ### Production To authenticate with [https://oauth.paxos.com/oauth2/token](https://oauth.paxos.com/oauth2/token), use your [credentials](/guides/developer/credentials) to create a bearer token. The authentication request must include the `{client_id}` (**Client ID**) and `{client_secret}` (**Client Secret**) configured for your [API credentials](/guides/developer/credentials). Include sufficient `{client_scopes}` (**Client Permissions**). ```shell highlight={5} theme={null} curl --location 'https://oauth.paxos.com/oauth2/token' \ --form grant_type=client_credentials \ --form client_id={client_id} \ --form client_secret={client_secret} \ --form scope='{client_scopes}' ``` Confirm the response includes the requisite scopes and save the `access_token` to use in the request authorization header (`-H "Authorization: Bearer {access_token}"`). ```json highlight={2,4} theme={null} { "access_token": "{access_token}", "expires_in": 3599, // Seconds (59 Minutes and 59 Seconds) "scope": "{client_scopes}", "token_type": "bearer" } ``` Once you have the `access_token`, [make an API call in Sandbox](/guides/developer/request).