---
title: Ways to authenticate
sidebar:
  order: 3
---

Every request to TIE services requires a Bearer token in the `Authorization` header. How you obtain that token depends on who is calling.

| Method | Who it's for | How it works |
|--------|-------------|--------------|
| [**User tokens**](/authentication/user-tokens/) | Browser and mobile apps | User signs in via email/password or OAuth. TIE Auth returns a short-lived JWT. |
| [**Service accounts**](/authentication/service-accounts/) | Backend services | Service uses a shared secret (`AUTH_SECRET`) to call TIE directly — optionally on behalf of a user. |

All other docs pages assume you already have a Bearer token. When you see `Authorization: Bearer $TOKEN` in an example, refer back here if you need to know how to get one.