> ## Documentation Index
> Fetch the complete documentation index at: https://api.corpay.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate and securely access Fleet API.

## Overview

All API requests must be authenticated using a bearer token (JWT).

* Protocol: HTTPS
* Authentication: Bearer token
* Header: `Authorization`

## Base URL

Use the appropriate `<BASE_URL>` for your environment:

* Test environment: `https://apigwuat.corpay.com`
* Production environment: `https://apigw.corpay.com`

## Getting Access Token

To access the API, you must first obtain an access token. This requires a `client_id` and `client_secret`, which Corpay provides after onboarding is complete.

**Endpoint:** `POST <BASE_URL>/keycloak/realms/longship/protocol/openid-connect/token`

### Request

```bash theme={null}
# Replace <BASE_URL> with the appropriate host for your environment

curl "<BASE_URL>/keycloak/realms/longship/protocol/openid-connect/token" \
  --header 'accept: application/json' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=your_client_id' \
  --data-urlencode 'client_secret=your_client_secret'
```

### Response

```json theme={null}
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia----",
  "expires_in": 36000,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "profile email"
}
```

## Using the Access Token

Include the token in every request header:

```http theme={null}
Authorization: Bearer <access_token>
```

* In test environment, tokens may have a longer lifetime, for example `36000` seconds.
* In production, tokens typically expire after `3600` seconds, or one hour.
