> ## Documentation Index
> Fetch the complete documentation index at: https://docs.charlemagnelabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate requests to the Charley API

The Charley API uses **OAuth2 / OpenID Connect** via Auth0. All requests to protected endpoints must include a valid JWT in the `Authorization` header.

## Getting a Token

### From the Dashboard (Dev/Testing)

If you're testing the API manually, the easiest way to get a token is from your browser's DevTools while logged in to the dashboard:

1. Open the Network tab.
2. Find any `/api/*` request.
3. Copy the value of the `Authorization: Bearer ...` header.

### Machine-to-Machine (Client Credentials)

For server-side integrations, use the Auth0 Client Credentials flow:

```bash theme={null}
curl -X POST https://<AUTH0_DOMAIN>/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "<CLIENT_ID>",
    "client_secret": "<CLIENT_SECRET>",
    "audience": "<API_AUDIENCE>",
    "grant_type": "client_credentials"
  }'
```

The response includes an `access_token` valid for the specified lifetime.

### Using the Token

Include the token in every request:

```bash theme={null}
Authorization: Bearer <access_token>
```

## Token Validation

The API validates tokens using Auth0's public JWKS. Tokens must:

* Be signed by your Auth0 tenant
* Have the correct `audience` claim
* Not be expired

## Device Enrollment Authentication

Device enrollment uses a separate **enrollment key** (a long-lived API key), not a user JWT. See the [Enrollment API](/api-reference/enrollment) for details.
