# Authenticate with a service account

> Use Basic or Bearer authentication when accessing APIs with a service account

You can use either Basic or Bearer authentication to access Unity service API endpoints with a service account. In both cases, use a key ID as the client name and the matching secret as the client secret. Don't use the service account name or its UUID to authenticate.

All keys that belong to the same service account are interchangeable and resolve to the same service account. Read more about [managing keys for a service account](/cloud/virtual-private-cloud/admin/users-service-accounts/manage-keys-for-service-account.md).

## Bearer token authentication

To use Bearer authentication, first obtain a JWT token for the service account, and then pass it in the `Authorization` header of your API request. To obtain the token, follow the standard OAuth 2.0 Client Credentials flow by sending an HTTP POST request to the Keycloak token endpoint:

```text
https://<SolutionFQDN>/auth/realms/unity/protocol/openid-connect/token
```

Replace `<SolutionFQDN>` with the fully qualified domain name (FQDN) of the solution.

### Example

The following sample request uses cURL to obtain a JWT token:

```shell
curl --request POST \
  --url 'https://<SolutionFQDN>/auth/realms/unity/protocol/openid-connect/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=<KeyId> \
  --data client_secret=<Secret>
```

Replace the `KeyId` and `Secret` strings with the ID and the secret of one of the keys that were created for the service account.