Related resources:



How-to guides

Every call made to the LUSID API must be authorised by an API access token. To obtain an API access token, you require a client secret.

Note that a call made:

  • Directly to the REST API must supply a pre-generated API access token as a Bearer token in the Authorization HTTP header. See how to do this.
  • Indirectly using the LUSID SDKs must provide credentials in a secrets file or as environment variables to helper classes that automate the process of obtaining an API access token and refreshing it upon expiry. Find out more about this

An API access token encapsulates the roles assigned to the calling user, and so determines the permissions granted to that user to perform operations within LUSID.

There are two types of API access token:

  • The recommended and most secure option is to obtain a short-lived OAuth2.0-compliant token on demand from LUSID’s identity provider, Okta. To do this, you require the username and password of a valid LUSID account, and also a client ID and client secret unique to your application so that Okta only grants tokens to authorised requestors.
  • There may be circumstances in which it is not possible to use a short-lived OAuth2.0-compliant API access token. You can create and use a long-lived personal access token instead, though note this is less secure.