> ## Documentation Index > Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt > Use this file to discover all available pages before exploring further. # Access Manager API Reference **This section is intended for developers.** If you're looking for a business-level overview of Access Manager, see [Access Manager](/en/platform/access-manager/access-manager). Access Manager provides two services that work together to handle authentication, authorization, and identity management across the Lerian ecosystem. Whether you're authenticating users, managing M2M connections, or controlling access permissions, these APIs give you full programmatic control over your security infrastructure. ## API architecture *** Access Manager is built on two core services, each with its own APIs: Manages authentication flows, tokens, and session control. Manages users, groups, and application credentials. ## API requirements *** Once Access Manager is enabled, **all API requests** to Midaz and its plugins require authentication. Every request must include an `Authorization` header with a valid Bearer token, or it will be rejected with a `401 Unauthorized` response. ### Request headers All authenticated requests must include: ```http theme={null} Authorization: Bearer {access_token} Content-Type: application/json ``` ### Token expiration * Access tokens expire after **3600 seconds (1 hour)** * Refresh tokens expire after **24 hours** * Plan token refresh before expiration to avoid service interruption ## Next steps *** * Review the [Using Access Manager](/en/platform/access-manager/using-access-manager) guide for workflow examples. * Learn about [Access Manager Components](/en/platform/access-manager/am-components) architecture. * Check [Best Practices](/en/platform/access-manager/am-best-practices) for security recommendations.