What is the difference between OAuth 2.0 and token_auth in Matomo? FAQ - General

OAuth 2.0 and token_auth are both used to authenticate API requests in Matomo, but they differ in how access is granted and managed. OAuth 2.0 provides scoped, time-limited access through a standardised flow, while token_auth uses a static token tied directly to a user account.

Using OAuth 2.0 alongside token_auth

These frequently asked questions outline the differences between OAuth 2.0 and token_auth, and explain how they can be used together or transitioned between.

Does OAuth 2.0 completely replace token_auth?
No. OAuth 2.0 is an alternative authentication method. Existing integrations using token_auth will continue to work, but OAuth 2.0 is recommended for new integrations.
Can I use both OAuth 2.0 and token_auth at the same time?
Yes. Both methods can coexist, allowing gradual migration.
Do I need to change API calls when switching to OAuth2?
Yes. Replace: token_auth=…with:

Authorization: Bearer ACCESS_TOKEN

Next FAQ: How do OAuth 2.0 tokens work in Matomo?

Previous FAQ: What is the token_auth and where can I find this token to use in the API calls?

Using OAuth 2.0 alongside token_auth

Feedback on this page