> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your requests to the Opal API.

# Overview

When making requests to the Opal API, you must pass an authentication bearer token in the header to identify yourself as an authorized user.

To do this, pass a header with key **Authorization** and value **Bearer** where is the value of the API token you generate from the admin API console.

## Using the API With Opal Service Users

Service users have their own identity in Opal and can be assigned Opal roles to scope their permissions. Opal Admins can create a service user on the **Organization Settings -> Service Users** page.

<img src="https://mintcdn.com/opalsecurity/pMl2nbqjDrt2OITx/images/reference/f61a8ad22e1f4ec07bfb9f35b4df7ded0eb9fc8e7d5e404171c869f46f60c329-image.png?fit=max&auto=format&n=pMl2nbqjDrt2OITx&q=85&s=be0ed5cfd67c6efbae41459b2c062fed" alt="" width="3812" height="1690" data-path="images/reference/f61a8ad22e1f4ec07bfb9f35b4df7ded0eb9fc8e7d5e404171c869f46f60c329-image.png" />

Service users can be assigned to Opal roles and scoped roles under the **Resources** tab. Service users can be added to Opal groups under the **Groups** tab. These can be combined to provide granular permissions to Service Users.

<img src="https://mintcdn.com/opalsecurity/pMl2nbqjDrt2OITx/images/reference/a7919b1ada3c3cccfcd49cddf08f370eb173e8f77f86f8fc6ff6d5bf3ce7c4b4-image.png?fit=max&auto=format&n=pMl2nbqjDrt2OITx&q=85&s=989f5d4f9d02d90892fe42fbd9ff5357" alt="" width="3802" height="1678" data-path="images/reference/a7919b1ada3c3cccfcd49cddf08f370eb173e8f77f86f8fc6ff6d5bf3ce7c4b4-image.png" />

API keys for service users can be created under the **API Keys** tab and can be set to expire. A maximum of **2 API Keys** can be created for a service user.

<img src="https://mintcdn.com/opalsecurity/n_kjNlpO6oWtW2Nl/images/reference/06c980b35d65f215291f33ebc3e876c777dadfd9c86dc4e1b66f7969f3461f92-image.png?fit=max&auto=format&n=n_kjNlpO6oWtW2Nl&q=85&s=a838282353d9b7e89f84f71096af6a14" alt="" width="3814" height="1676" data-path="images/reference/06c980b35d65f215291f33ebc3e876c777dadfd9c86dc4e1b66f7969f3461f92-image.png" />

## Using the API with Personal Access Tokens

Personal access tokens are tied to your identity and have your permissions. By default, only Opal Admins can generate personal access tokens. However, admins can enable all users to create PATs by toggling the **Allow all users to create PATs** setting in **Organization Settings -> Advanced**.

Users can generate personal access tokens on the **User -> Settings** page:

<img src="https://mintcdn.com/opalsecurity/pMl2nbqjDrt2OITx/images/reference/61bd0ce06e34c06fdfa4ea0cbf01ba3d53e43ec1e7de8157a999c36fdce803a8-image.png?fit=max&auto=format&n=pMl2nbqjDrt2OITx&q=85&s=83b8ea9d13f60aa0a8b7f6c3fb16442b" alt="" width="3820" height="1790" data-path="images/reference/61bd0ce06e34c06fdfa4ea0cbf01ba3d53e43ec1e7de8157a999c36fdce803a8-image.png" />

Personal access tokens can either be **Read-only** or **Full-access**:

* **Read-only tokens** can only perform GET requests, limited to resources you have permission to view.
* **Full-access tokens** can perform all API operations (GET, POST, PUT, DELETE), but are still scoped to your user permissions - you cannot access or modify resources beyond what your Opal role allows.

Once the token is generated, copy it and use it to make authenticated requests to the Opal API. If a token is compromised, you can revoke it from the same page. Any other Opal Admin can revoke your token from the **Organization Settings -> API Tokens** page.

<img src="https://mintcdn.com/opalsecurity/pMl2nbqjDrt2OITx/images/reference/850478aef24cb9d4d89076baef79bd7b612a853dc1088d31163e0069f3540c8d-image.png?fit=max&auto=format&n=pMl2nbqjDrt2OITx&q=85&s=a872614b7bfff70a2bb6aa7a43061cb0" alt="" width="3818" height="1682" data-path="images/reference/850478aef24cb9d4d89076baef79bd7b612a853dc1088d31163e0069f3540c8d-image.png" />