# Authentication methods

All requests to the CARTO APIs (and therefore all developments using CARTO) must be authenticated. When starting a project or building an application, we recommend choosing one between these three strategies:

* **Authentication via API Access Tokens:** These types of permanent tokens are simple, easy to generate, restrictive, and not tied to specific users. You can use them directly to authenticate your requests. [Read more about API Access Tokens](https://docs.carto.com/carto-for-developers/key-concepts/authentication-methods/api-access-tokens).
* **Authentication via Single Page OAuth Client:** Authenticate each user separately by presenting them a login where they need to introduce their CARTO credentials — or their SSO credentials if configured. Once set up, your app will obtain and use [*OAuth Access Tokens*](https://docs.carto.com/carto-for-developers/key-concepts/authentication-methods/oauth-access-tokens) for each user independently. [Read more about Single Page Applications](https://docs.carto.com/carto-for-developers/key-concepts/applications#single-page-application-spa).
* **Authentication via Machine-to-Machine OAuth Client:** Obtain an [*OAuth Access Token*](https://docs.carto.com/carto-for-developers/key-concepts/authentication-methods/oauth-access-tokens) on demand (using a backend application) without the user having to log in and use it to authenticate all your requests. [Read more about Machine-to-Machine Applications](https://docs.carto.com/carto-for-developers/key-concepts/applications#machine-to-machine-authentication-m2m).