# Clipper authorisation mechanism In order to access the clipper API, the client must use a token, which is a random string generated by the application. There are two ways for applications to obtain this token: ## Get it from the user The user can copy the token in the Clipper configuration page and provide it directly to the application. This is the simplest method. ## Request it programmatically The token can also be requested programmatically, as is done for the web clipper extension. It works as below: - The client calls `POST /auth`. The server responds with `{ auth_token: "AUTH_TOKEN" }`. This `auth_token` is different from the regular token - it is just used to authentify the client. - The application displays a message asking the user to Accept or Reject the access request. - The clients calls `GET /auth/check?auth_token=AUTH_TOKEN` at regular intervals. Initially the server responds with `{ status: "waiting" }`, since we are waiting for the user to confirm or reject. - Once the user accepts the request in the application, the server returns `{ status: "accepted", token: "API_TOKEN" }`. - The client can now use this `API_TOKEN` to make requests. - If the users rejects the request, the server returns `{ status: "rejected" }`, and the client can display an error message.