# Authentication best practices

## Authentication token expiry

The Investment API uses opaque access tokens obtained using the [OAuth 2.0 Client Credentials](https://oauth.net/2/grant-types/client-credentials/) flow.

These authentication tokens have an expiry time meaning you must request a new authentication token when the existing one expires.

You will receive error status [401 (Unauthorized)](https://docs.upvest.co/api_errors/unauthorised) when the token expires.