Hello @Susan Genoray, the API uses a form of digital signature to handle authentication (specifically, HMAC-SHA256 wrapped in a HTTP signature within the "Authorization" header). An API client will receive a secret key from WC1, and will use this key to sign every request they send through to the API. When WC1 receives an API request, it will try to recompute the digital signature for the given user, and will only process the request if the signatures match. This signature is also used to validate that the contents of the API requests are not tampered with, in that their full contents form part of the data that is used to compute the signature.