# Authentication

To authorize the requests, a bearer JSON Web Token must be sent in the Authorization header.

Example:

```shell
curl -X GET \
  https://api.bloq.cloud/nodes/v1/status \
  -H 'Authorization: Bearer xxxxxx.xxxxxxxxxx.xxxxxx'
```

{% hint style="success" %}
**TIP**

Bloq provides libraries to interact with its services making authentication easier. If you use the [CLI](https://docs.bloq.com/advanced-documentation/technical-reference/cli) or [Javascript SDK](https://docs.bloq.com/advanced-documentation/technical-reference/javascript-sdk), some of these steps will not be required.
{% endhint %}

## Requirements

In order to authenticate to Bloq services, you must have a Bloq account. To create an account, follow [these instructions](https://docs.bloq.com/readme/bloq-account-setup).

## Reference

This reference section for the Authentication API outlines key concepts when authenticating to use Bloq services. Key concepts and details of `Client-Keys` and the various types of `Tokens` are described in this section.

### Tokens

Bloq uses different tokens across its services. Here are the types and usages of these tokens:

#### **Account Access Token:**

The `Account Access Token` is a JSON Web Token created by the Accounts service that enables the user to interact with account related services such as: retrieve profile information, update password, create client IDs and secrets. This token can also be used to interact with the BloqNodes services. The `Account Access Token` expires after 12 hours.

#### **Client Access Token:**

The `Client Access Token` is a JSON Web Token created by the Accounts service that enables the user to interact with [Nodes](https://docs.bloq.com/advanced-documentation/technical-reference/nodes-api) services. This is a short-lived token that expires after 1 hour.

To create a Client Access Token follow [these instructions](https://docs.bloq.com/advanced-documentation/developers-guide/client-tokens).

#### **Client Refresh Token:**

The `Client Refresh Token` is a JSON Web Token created by the Accounts service that enables the user to create a new `Client Access Token`. This is a long-lived token, and expires after 1 year. Store this token carefully.

To create a Client Refresh Token follow [these instructions](https://docs.bloq.com/advanced-documentation/client-tokens#refreshing-the-client-access-token).

### Client Keys

#### Overview

Client keys are pairs (Client ID + Client Secret) composed of random hexadecimal numbers which enables your code / program to authenticate with our servers and grants access to various Bloq services.

{% hint style="success" %}
**TIP**

Client keys are sensitive information. You should avoid sharing or exposing them. Always keep them safe.
{% endhint %}

{% hint style="danger" %}
**WARNING**

Once you generate a client key pair, you will not be able to retrieve the **Client Secret** from Bloq services again. Bloq is unable to help you recover this key.
{% endhint %}

Client keys are used by programs to create `Client Access Tokens` and `Client Refresh Tokens`

#### **Create Client Keys**

To create a client key pair follow [these instructions](https://docs.bloq.com/readme/create-client-keys).

## Usage

The type of token/authentication that should be used will depend on the Bloq service. This usage section outlines the type of tokens/authentication required per Bloq service.

### Accounts

To interact with accounts, the user needs an `Account Access Token`. There are two ways of creating this token:

#### **Using the CLI**

The Bloq CLI provides this functionality out of the box using the `bcl login` command. The `Account Access Token` may additionally be retrieved with the `bcl conf accessToken` command.

#### **Using Accounts HTTP REST API**

Using HTTP Basic Authentication by providing username (User ID or email) and password, this endpoint retrieves an authentication token to be passed to other Accounts API functions for authentication.

#### **Code sample**

```shell
curl -u username:password -X POST https://api.bloq.com/auth/login
```

### Nodes

To interact with the Nodes service, the user may use their `Account Access Token` or a `Client Access Token`. To create a `Client Access Token`, a `Client Key Pair` (Client ID + Client Secret) is required.

{% hint style="warning" %}
**WARNING**

The `Account Access Token` and `Client Access Token` are not interchangeable. In other words, a `Client Access Token` cannot be used for Accounts services.
{% endhint %}