There are two types of application credentials that can be used in order to make authenticated requests with Mariana Tek: API keys and OAuth2.0 client credentials. The primary difference between the two authentication strategies is that requests which are authenticated with OAuth2.0 will be tied to the end user, whereas those authenticated with an API key will be tied to the service account associated with your application. The type of credentials that should be used by your application depends both on your use case and on the type of application you are building. If you are building a Single Page Application (SPA) or a mobile application, OAuth2.0 credentials will be required. If the application is executing on a server, you may use either an API key or OAuth2.0 credentials.


OAuth2.0 is an authorization framework which allows third party applications to act on behalf of the end user, without necessarily gaining access to their sensitive credentials. Mariana Tek is an OAuth2.0 provider. In order to register your application and get credentials to start authenticating via OAuth, please contact

Within the OAuth2.0 framework, there are several flows that can be used. The appropriate flow to use is determined by the client type for your application. The client type for an application will be either "confidential" when the application can store client credentials securely, or "public" when the application cannot store credentials without exposing them. For example, single-page applications and mobile applications are considered public, whereas server-side web applications are typically confidential. Mariana Tek supports the Authorization Code flow for confidential applications and the Authorization Code w/ PKCE flow for public applications.

API Keys

In order to use an API key for authentication, you will need to register your application and select the desired permissions for your service user. You can then be issued an API key associated with this account. To manage your applications and credentials, please contact

Because API keys can be granted permissions to perform potentially sensitive actions, it is essential to keep these keys secure. In particular, you should not commit these keys to version control or use them in client-side code.

To make an authenticated request with an API key, bearer authentication should be used:

curl -H "Authorization: Bearer {api_key}" https://{SUBDOMAIN}