OAuth Clients
Last updated
Was this helpful?
Last updated
Was this helpful?
Applications are entities that belong to your CARTO organization. They usually represent a project, and they also provide a method to authenticate that project, as well as technical configuration for that method (eg: callback url, allowed urls...). Applications are visible by the entire organization by default, but only the user that created the application can edit or delete it.
There are two types of applications: Single-Page Application (SPA OAuth Clients) and Machine-to-Machine Applications (M2M OAuth Clients).
Single Page Application OAuth Clients (usually referred to as SPA OAuth Client) obtain OAuth Access Tokens for each user by presenting a login flow where the user introduces their CARTO credentials. This login flow can be the CARTO default login, or your own SSO login if it's been configured for the organization and the app.
After each user successfully logs in, the app will obtain a short-lived OAuth Access Token that you can use through your app.
Open your CARTO Workspace and navigate to the "Developers" section
Then, click on "Credentials" and "Create new"
Make sure to select "SPA OAuth Client". Read more about .
You should use a Single-Page Application OAuth Client when:
Building a private application where the end users are also CARTO users
Building an application where row-level security and other role-based access controls from a single table are a must for security (so that requests from your application use a different credential for each user)
We encourage and recommend the use of SPA OAuth Clients as they're easy to set up and maintain. We also recommend synchronizing your end users with CARTO using SSO to support scalable security setups.
Machine-to-Machine OAuth Clients (usually referred to as M2M OAuth Clients) obtain OAuth Access Tokens on demand, using the client_secret
of the application to request them.
It doesn't require a login flow where the user needs to type the password to get a token.
Open your CARTO Workspace and navigate to the "Developers" section
Then, click on "Credentials" and "Create new"
You should use a Machine-to-Machine OAuth Client when:
Building a private application where the end users do not exist in CARTO (and the security access levels can't be managed manually)
You need to programmatically manage API Access Tokens and Connection
We only recommend Machine-to-Machine authentication when the use case can't be solved using the other methods.
Make sure to select "M2M OAuth Client. Read more about .
Machine-to-Machine is only available for Enterprise Large plans and above. Please get in touch at if you’re interested in this feature.