Coviu uses a number of common OAuth2 rfc6749 mechanisms for authenticating and authorising an API client. The basic approach is to follow one of the OAuth2 authorisation flows, to be issued an access token and bearer token that may then be used for access to user resources via the Coviu API.

The most basic use case is an API client acting on behalf of the owner of the client. In this case the client may follow the OAuth2 client_credentials flow to be issued an access and refresh tokens directly.

API users will have been issued an api_key and key_secret pair.