Using Carta's OAuth Workflow

How your application requests authorization to access Carta data

Carta’s API uses the OAuth 2.0 open specification to authorize your access to our data, and supports AUTHORIZATION_CODE and CLIENT_CREDENTIALS grant types. Carta provides you a client_id and a client_secret and configures your access to a specific set of OAuth scopes (permissions) that are bound to one or more API resources.

Authorization Code Flow

If you access Carta data about a third-party, you will use the authorization code flow to authenticate your access. This flow requires explicit permission from that third-party prior to Carta granting you access. If granted, Carta's API will generate a temporary token, valid for 60 seconds, which you then use with your client_id and client_secret to generate an access token.

Client Credentials Flow

If you access data solely within your own Carta account, you will use the client credentials flow to authenticate your access. You will create a user in your Carta account which Carta will associate with your client credentials. This user will be for API access only and cannot log in to Carta’s web application.

Access Token Lifetime

An access token is valid for one hour, after which you will need to request a new token.