> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Access Manager

> Integrate Access Manager into your application — set up authentication, manage tokens, and combine Auth and Identity for end-to-end access control.

This guide walks you through how to use the tool in your application. It covers setup, configuration, and how the Auth and Identity services work together to handle authentication and identity management.

## Typical usage

***

Access Manager is built to make authentication straightforward, whether you’re managing real people or system-to-system integrations. In SaaS and BYOC Multi-Tenant environments, the access token also carries your tenant scope through a `tenantId` claim — every API call is automatically scoped to your tenant without any additional headers. Learn more about [multi-tenancy](/en/multi-tenancy).

Here’s how it typically fits into your workflow.

<Danger>
  Once **Access Manager** is enabled, **all API requests** must include an `Authorization` header with a valid **Bearer access token**.

  Without this header, your requests will be rejected, even for public or previously accessible endpoints.
</Danger>

### Human access

When you’re creating the credentials for a person, you’ll usually follow these steps:

#### Step 1 - Check the group permissions

First, figure out what roles or permissions you want the person to have. To do so, you can list all groups available using the [List Groups](/en/reference/access-manager/list-groups) endpoint.

* If you want to check the details of a specific group, use the [Retrieve Group details](/en/reference/access-manager/retrieve-group-details) endpoint.

#### Step 2 - Create the user

Once you’ve got the right groups in mind, it’s time to create the user. To do so, use the [Create a User](/en/reference/access-manager/create-user) endpoint.

* Add them to the correct groups during creation so they get the permissions they need from day one.

**Managing Users**

The following endpoints are also available for you to manage the users and their access:

* [List Users](/en/reference/access-manager/list-users) - List all users created.
* [Retrieve User details](/en/reference/access-manager/retrieve-user-details) - Retrieve the information of a specific user.
* [Delete a User](/en/reference/access-manager/delete-user) - Remove a user’s access from the system.
* [Update a User](/en/reference/access-manager/update-user) - Update a user's information
* [Reset a User Password](/en/reference/access-manager/reset-user-password) - Reset a user’s password
* [Update a User Password](/en/reference/access-manager/update-user-password) - Update a user’s password by providing the current password along with the new one.

#### Step 3 - Request a token using password

The user can now authenticate using their credentials. To do so, use the [Request an Access Token](/en/reference/access-manager/request-access-token) endpoint and use `password`as the `grantType`. This will return an access token they can use to access your protected APIs.

* If you need to renew an expired access token, use the [Refresh the Access Token](/en/reference/access-manager/refresh-token) endpoint.

### M2M access

For system-to-system (machine-to-machine) scenarios, the flow is a little different, but just as simple.

#### Step 1 - Create an application

Every system or service that needs to connect via M2M must have its own application. Use the [Create an Application](/en/reference/access-manager/create-an-application) endpoint to set up access to the Lerian application your system will talk to.

<Tip>
  The `name` field must match one of Lerian’s predefined application names. Right now, the available options are:

  * `midaz`
  * `plugin-fees`
  * `plugin-crm`
  * `plugin-smart-template`
</Tip>

<Accordion title="Managing Applications">
  The following endpoints are also available for you to manage the applications:

  * [List Applications](/en/reference/access-manager/list-applications) - List all applications that you have created to connect with Lerian’s application using M2M credentials.
  * [Retrieve an Application](/en/reference/access-manager/retrieve-application-details) - Retrieves detailed information about an Application.
  * [Delete an Application](/en/reference/access-manager/delete-application) - Remove an application and its associated credentials from the system
</Accordion>

#### Step 2 - Request a token using client credentials

Once your application is set up, it can authenticate itself without a user. To do so, use the [Request an Access Token](/en/reference/access-manager/request-access-token) endpoint and use `client_credentials`as the `grantType`. This returns a token the system can use to call APIs securely.

### Ending user session

If, for some reason, you need to end a user's session and revoke their active tokens, ensuring a secure and complete logout from the application, use the [End User Session](/en/reference/access-manager/end-user-session) endpoint.