# Authentication

MoreLogin uses different authentication methods for its two API types.

## Local API Authentication

The Local API runs on `http://127.0.0.1:40000` and is accessible only from the local machine.

### Default Mode (No Authentication)

By default, the Local API does not require authentication. You can make requests directly:


```bash
curl -X POST http://127.0.0.1:40000/api/env/page \
  -H "Content-Type: application/json" \
  -d '{
    "pageNo": 1,
    "pageSize": 10
  }'
```

### Enabling Authentication

For enhanced security, you can enable Local API authentication in the MoreLogin client:

1. Open the MoreLogin client
2. Navigate to **Settings** → **API & MCP**
3. Enable **Local API Authentication**
4. Copy the generated authorization token


![Enable Local API Authentication](/assets/image.590455fe8c04c7aec45454ddba2524af46ee8128e15fbef43221c071f4863f91.8f1e5674.png)

After enabling, include the `Authorization` header in all requests:


```bash
curl -X POST http://127.0.0.1:40000/api/env/page \
  -H "Content-Type: application/json" \
  -H "Authorization: YOUR_AUTH_TOKEN" \
  -d '{
    "pageNo": 1,
    "pageSize": 10
  }'
```

> **Security Note**: The Local API is only available on `localhost`. It cannot be accessed remotely.


## Open API Authentication (OAuth2)

The Open API uses OAuth2 client credentials flow to authenticate requests.

> Open API Server endpoint: `https://api.morelogin.com`


### Step 1: Get API ID and API Key

1. Open the MoreLogin client
2. Navigate to **Settings** → **API & MCP**
3. Copy the **API ID** and **API Key**


API ID and Key
### Step 2: Get Access Token

Exchange your API ID and API Key for an access token:


```bash
curl -X POST https://api.morelogin.com/oauth2/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_API_ID",
    "client_secret": "YOUR_API_KEY",
    "grant_type": "client_credentials"
  }'
```

**Sample Response:**


```json
{
    "code": 0,
    "msg": null,
    "data": {
        "scope": "cloudphone",
        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
        "token_type": "Bearer",
        "expires_in": 3600,
        "client_metadata": {
            "name": "Example Team"
        }
    },
    "requestId": "4b727b1d53a445d0a46389465b562360"
}
```

### Step 3: Use Access Token

Include the access token in the `Authorization` header for all Open API requests:


```bash
curl -X POST https://api.morelogin.com/cloudphone/app/page \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "pageNum": 1,
    "pageSize": 10
  }'
```

> **Note**: Access tokens expire after **3600 seconds** (1 hour). Request a new token when the current one expires.


## Authentication Comparison

| Feature | Local API | Open API |
|  --- | --- | --- |
| **Method** | Static token (optional) | OAuth2 access token |
| **Token Lifetime** | Permanent (until regenerated) | 1 hour |
| **Where to Get** | MoreLogin client settings | Exchange API ID + Key |
| **Header Format** | `Authorization: TOKEN` | `Authorization: Bearer TOKEN` |
| **Required** | Optional (can be disabled) | Always required |