Understanding Key Concepts

A Plan is a collection of API resources that you can subscribe to. It can contain various operations from one or more APIs.

Each Plan has rate limits that specify how many requests your application can make within a certain time interval. A Plan might have a single rate limit for all its resources, or different limits for each one.

An Application represents your project or service that will be using our APIs. When you register an application, you receive an API Key and Secret, which are the credentials needed to call our APIs securely.

To ensure that only authorized applications can access our APIs, we use two primary security methods: API Keys and OAuth 2.0 Tokens. 
The specific method required is determined by the API you are using and will be detailed in its documentation. 

Method 1: API Key & Secret 
This is a straightforward method where your application is assigned static credentials that are used for every request. 

How it Works: 

1. When you register an application in the Developer Portal, you are provided with a unique API Key and an API Secret. The API Key acts like a username, identifying your application to the API.
2. In every API call, you must include these credentials to authenticate your application. Typically, this is done by sending the API Key in the request headers. 

This method is simple and effective for many server-to-server communications. Remember to keep your API Secret confidential, as it authenticates your application. 

Method 2: OAuth 2.0 with Access Tokens 
This method uses a more dynamic, token-based approach for enhanced security. Instead of sending your primary credentials with every request, you exchange them for a temporary access token. 

How it Works: 

1. Request a Token: Your application makes a call to a specific security token endpoint, sending its Client ID and Client Secret (your application's API Key and Secret) to authenticate itself.
2. Receive a Token: The server validates these credentials and returns a short-lived access token.
3. Make API Calls: Your application then includes this access token—typically as a "Bearer Token" in the Authorization header—with its API requests.
4. Refresh the Token: This token is designed to expire after a short period. Once it expires, your application must request a new one by repeating the process. 

The main benefit of this method is that your long-term API Secret is transmitted only once to get the token, not with every single API call. This limits the exposure of your primary credentials.