Skip to main content
API Authentication is an authentication method for server-to-server communication with Smartcar. Your application obtains a single application-level access token using the OAuth 2.0 Client Credentials flow.

How It Works

API Authentication uses the OAuth 2.0 Client Credentials flow, designed for server-to-server scenarios where no user interaction occurs. Here’s the flow:
  1. Authenticate: Exchange your Client ID and Secret for an access token
  2. Make Requests: Use the access token for all subsequent API calls
The access token is valid for 1 hour. When it expires, request a new one from the token endpoint.

Key Concepts

API Credentials

Your API credentials consist of:
  • Client ID — Public identifier for your application (safe to hardcode)
  • Client Secret — Private credential for authentication (must be stored securely)
Treat your Client Secret like a password. Never commit it to version control or expose it in client-side code.

User ID (userId)

The userId is a unique identifier within the Smartcar platform representing a specific user’s vehicle connection. You obtain this ID from the Connections API when a user grants access to their vehicle.

sc-user-id Header

The sc-user-id header is required when accessing vehicle signals and issuing commands. It tells the API which user’s vehicle connection to operate on. You obtain the userId from the Connect redirect URL when a user completes the authorization flow. 
GET https://vehicle.api.smartcar.com/v3/vehicles/{id}/signals
Authorization: Bearer YOUR_ACCESS_TOKEN
sc-user-id: {userId}
The header is also accepted on the /connections endpoint to filter results by user.

Connections API

The Connections API manages vehicle connections at the application level. With API Authentication, you use this API to:
  • Retrieve connected vehicle IDs (userId values)
  • Manage vehicle connections
  • Handle subscription events

Security Considerations

Never store your Client Secret in public clients, browser cookies, or plain text files. Your backend must securely store and manage API credentials.
Follow these security best practices:
  • Secure Storage — Keep Client Secrets in environment variables, secrets management systems, or encrypted vaults
  • Secret Rotation — Rotate your Client Secret on a regular schedule or immediately if compromised
  • Audit Trails — Monitor your Smartcar Dashboard for API Credentials activity and audit logs
  • Least Privilege — Restrict API credential access to backend services that require it
  • No Client-Side Usage — Never use API credentials in mobile apps, web frontends, or any public-facing code
Your Smartcar Dashboard provides visibility into credential usage and security events. Review audit logs regularly to detect unauthorized activity.

What’s Next

Ready to implement API Authentication?