Managing Credentials

All requests to the CARTO APIs must be authenticated. When starting a project or building an application you can choose between three types of authentication strategies:

  • API Access Tokens

  • Single-Page Application (SPA) OAuth Clients

  • Machine-to-Machine (M2M) OAuth Clients

Which authentication strategy is the right one for my project?

We have covered this topic more in-depth including detailed explanations for each strategy and recommendations in the Authentication Methods section of our CARTO for Developers documentation.

However, if you just want to test things out and build a simple application with no authentication, you should create an API Access Token first.

This section allows you to seamlessly create, edit and manage API Access Tokens, SPA OAuth Clients, and M2M OAuth Clients. It also contains the current API Base URL that you should use in all your API calls. Learn more about the API Base URL.

Starting on April 25th 2024, credentials are NOT shown by default in Applications.

Previously, when you created a credential (formerly known as developer application) it would also be registered and available for viewers in the Applications section. This created confusion from an administration point of view, since you could also register applications as an admin.

With this change, credentials are exclusively used for authentication management, and administrators have full control of the Applications section through the Settings > Advanced > Applications section.

  • All existing credentials created before April 25th 2024 have been duplicated as Applications to minimize impact for end viewers in your organization.

The timeline in Self-Hosted deployments for this change is version-specific and will be documented here.

Last updated