API access
API access enables software (services, schedulers, CLIs, scripts) to programmatically call Atlan APIs without an interactive user session. It's independent of SSO/UI sessions and uses bearer tokens supplied in each request. API category permissions are governed by the credential’s assigned role/subrole, while asset visibility is governed by assigned personas. API endpoints and payloads are unchanged; this section describes authentication and scope only.
Authentication options
Atlan supports the following authentication methods for API access, select the method that best fits your use case:
Recommended
OAuth clients
Short-lived tokens with higher security for machine-to-machine integrations
- Issues short-lived, scoped access tokens using the OAuth 2.0 Client Credentials flow
- Preferred for server-to-server workloads (CI/CD, schedulers, backend services)
- Enables least-privilege access via scopes; tokens are valid until they expire, clients are deletable
- Reduces blast radius compared to long-lived keys; recommended for production-grade integrations
- Requires managing a client ID and secret on the server
API tokens
Long-lived tokens for simple, backwards-compatible programmatic access
- Single static token tied to a user or service account for direct HTTP API calls
- Suited to quick scripts, local prototyping, and legacy tools that do not support OAuth
- Simpler setup with no token exchange, but higher risk if leaked
- Inherits the full permissions of the issuing account; use dedicated service accounts
- Store in a secrets manager or environment variable; never embed in client-side code