> ## Documentation Index
> Fetch the complete documentation index at: https://finance.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth Flow

> Feature-module overview: how an app authenticates with Aries via OAuth2, gets an access token, and uses it across REST and WebSocket.

<Note>
  **Module skeleton.** The Auth module already has a complete guide — this page orients you and points to it. Everything in the Orders, Account, and Market Data modules depends on having a valid access token first.
</Note>

Every Aries API call — REST or WebSocket — needs an **access token**. You get one through **OAuth2**: send the user to Aries to sign in, receive an authorization code, and exchange it for a token. Then you attach that token to every request.

```mermaid theme={null}
sequenceDiagram
    participant App
    participant Aries
    App->>Aries: Redirect user to sign in & consent
    Aries->>App: Authorization code
    App->>Aries: Exchange code at /v1/oauth2/token
    Aries->>App: access_token + refresh_token
    App->>Aries: API calls with Bearer access_token
```

***

## Where to go

<CardGroup cols={2}>
  <Card title="OAuth2 overview" icon="shield-halved" href="/api-reference/oauth2/guide">
    Plain-English walkthrough: terms, scopes, and which flow to pick.
  </Card>

  <Card title="Authorization Code flow" icon="server" href="/api-reference/oauth2/auth-code-flow">
    For apps with a backend that can hold a `client_secret`.
  </Card>

  <Card title="PKCE flow" icon="mobile-screen" href="/api-reference/oauth2/pkce-flow">
    For browser SPAs and mobile apps with no server secret.
  </Card>

  <Card title="Token endpoint" icon="key" href="/api-reference/oauth2/token">
    Exchange codes and refresh tokens at `POST /v1/oauth2/token`.
  </Card>
</CardGroup>

***

## Using the token

Once you have an `access_token`:

* **REST:** send it as a header — `Authorization: Bearer YOUR_ACCESS_TOKEN`.
* **WebSocket:** authenticate within 5 seconds of connecting by sending it in the [auth request](/websockets/account-updates#step-2-connect-authenticate).

Request only the [scopes](/api-reference/oauth2/guide#available-scopes) you need — e.g. `order:execution` to place orders, `account:information` to read balances and positions.

<Card title="Quick Start" icon="bolt" href="/api-reference/quickstart">
  Get a working authenticated API call in a few minutes.
</Card>
