Skip to main content
Marqeta’s Core API enforces HTTP Basic Authentication on incoming requests. This mechanism utilizes the standard Authorization field in the header for holding the credentials.

Authentication types

All requests must provide the application token as the username. This token identifies the application that sent the request. The password can be either unspecified, an admin access token, a user access token, or a single-use access token. Depending on the password value provided, the Marqeta platform assigns one of four authentication types to the request. Each authentication type corresponds to an authorization level that controls the request’s access to API endpoints and data. The following table summarizes the Marqeta platform authentication types and their corresponding authorization levels.
Authentication Type and Authorization LevelApplication Token Required as UsernameAdmin Access Token Required as PasswordUser Access Token Required as PasswordSingle-Use Access Token Required as Password
Unauthenticated


Authorizes access to public API endpoints and data.
Admin


Authorizes access to all API endpoints and data associated with the program.
User


Authorizes access to all API endpoints and data associated with the user.
User single-use


Authorizes a single request with access to all API endpoints and data associated with the user.
Client access


Displays a virtual card’s sensitive data.

Obtaining tokens

Marqeta distributes application tokens and admin access tokens directly to customers. Both application and admin access tokens are static, meaning that you can reuse them indefinitely. You can also use Marqeta’s self-service credential API to create, retrieve, and delete admin access tokens. You can create up to 20 new admin access tokens per application. For more information, see the Self-Service Credentials page. User access tokens and single-use access tokens are dynamically allocated by the Core API:
  • A POST request to the /users/auth/login endpoint returns a user access token that is valid until the user is logged out or times out.
  • A POST request to the /users/auth/onetime endpoint returns a single-use access token for a specified user that is valid for a single request.
  • A POST request to the /users/auth/clientaccesstoken endpoint returns an access token for a specified card that is valid for a single request.
See the Log in user, Create single-use token, and Create client access token sections of the Users API reference page for more information about these endpoints.

Expiration and throttling

Application tokens never expire. Admin access tokens distributed directly by Marqeta also never expire. However, if you are using the self-service credential API to create admin access tokens, those admin access tokens will expire according to your configuration. For more information, see the Self-Service Credentials page. User access tokens and user single-access tokens expire after two hours (120 minutes). Client access tokens expire after 5 minutes. Requesting a user access, user single-access, or a client access token using incorrect credentials returns an HTTP 401 status code. A throttling mechanism limits token requests to three within any 60 consecutive seconds. Throttled token requests also return an HTTP 401 status code.

cURL example

This example illustrates a call (in cURL format) to retrieve account balances for a user. The user’s ID token is bigbird_token. The user’s current user access token is user_access_token. The application token is application_token.
cURL
curl -X GET --user application_token:user_access_token \
-H "Content-Type: application/json" \
"https://sandbox-api.marqeta.com/v3/users/my_user_01/balances"

Related topics

Authentication with the DiVA APIUpdating Multi-Factor Authentication in the Marqeta DashboardSignature VerificationAccount Validation via PlaidTransactions