# Authentication The API currently supports access token-based authentication. ## How do I access an API token? If you have the Resourcing Administrator role, you can access your organization's token in the Resource Management application. 1. Select the kebab icon (three vertical dots) in the top-right of the application, and then select **Settings**. The settings panel appears. 2. On the left side, select the **Developer API** tab. 3. Copy your token from the token text field near the bottom of the panel. Store your token in a safe place. ## API token management best practices Never commit access tokens (API keys) to accessible version control systems like GitHub or BitBucket. Instead, use one of the following recommended storage options. ### What are some recommended API token storage options The following API token storage options are recommended: - Use an app configuration tool suitable for deploying secrets to your app, or - Use a config file outside of source control, or - Use environment variables set outside of source control. ### What are some best practices for storing tokens in a database? If you need to store your API token in a database, consider the following protections: - Restrict database access, so the API token is only readable by the owner of the object - Restrict read privileges to the database table - Make sure your database or the disk the database is on is set to encrypt data at rest ## Authentication options in requests In your HTTP requests, you can specify your API token as a query parameter named `auth`, or as an HTTP header with the same name. The points below demonstrate both authentication options: - The following command demonstrates sending the token in the **HTTP header** named `auth`: ```bash # Token in http header (recommended) curl -X GET https://api.rm.smartsheet.com/api/v1/users \ -H "Content-Type: application/json" -H "auth: RM_API_TOKEN" ``` If you use the above command, replace `RM_API_TOKEN` with your Resource Management API token value. - The following command demonstrates sending the token in the **query parameter** named `auth`: ```bash # Token on URL curl -X GET https://api.rm.smartsheet.com/api/v1/users?auth=URL-ENCODED-TOKEN \ -H "Content-Type: application/json" ``` ## Authentication examples by product and region Requests to the Gov API server and the Australian (AU) Resource Management API server, require passing in a Smartsheet API token in addition to your Resource Management API token. For example, calls to the Gov API server require specifying the Smartsheet API token as a bearer token in an `Authorization` HTTP header. Examine the following Gov API call. ```bash curl GET -X https://app.smartsheetgov.com/2.0/rm/api/v1/projects \ -H "Authorization: Bearer SMARTSHEET_API_TOKEN" \ -H "auth: RM_API_TOKEN" ``` If you use the above command, replace `SMARTSHEET_API_TOKEN` with your Smartsheet API token value and `RM_API_TOKEN` with your Resource Management API token value. The following sentences describe each line of the above cURL command: 1. The first line uses cURL to issue an HTTP GET request to the endpoint for listing projects. 2. The second line specifies the Smartsheet API token; it's required for calling the Gov API server. 3. The last line specifies the Resource Management API token. The following table identifies the base URL, indicates whether a Resource Management token is required, and whether a Smartsheet API token is required | **Product / Region** | **Base URL** | **RM `auth: RM_API_TOKEN` required?** | **Smartsheet `Authorization: Bearer SMARTSHEET_API_TOKEN` required?** | | --- | --- | --- | --- | | US | `https://api.rm.smartsheet.com/api/v1/` | Yes | No | | EU | `https://api.rm.smartsheet.eu/api/v1/` | Yes | No | | AU | `https://app.smartsheet.au/2.0/rm/api/v1/` | Yes | Yes | | Gov | `https://app.smartsheetgov.com/2.0/rm/api/v1` | Yes | Yes | Now you know how to get your organization's API token, how to manage tokens, and how to authenticate with Resource Management in Gov and across different region