Documentation

Secure your connection with Tango API

To take full advantage of our Tango API resources, you must establish a secure connection to the Tango API through one of the following methods. All API connections must use HTTPS. HTTP connections are rejected:

  • Basic Authentication (Auth)—Auth is a simple authentication method using static credentials (platform name and API key). It's less secure and best suited for lower-risk, internal integrations.
  • Open Authorization (OAuth) 2.0 (Recommended)—OAuth is a token-based authentication using client credentials and service accounts. Tokens expire after either 24 hours or 5 minutes, depending on the audience specified when creating the token. With OAuth, you can create an unlimited number of service accounts and rotate your client credentials with no downtime. See how to Acquire a service account token.
  • OAuth 2.0 with DPoP (Highest Security)—Combines OAuth 2.0 with Demonstrating Proof of Possession (DPoP) (RFC 9449). DPoP cryptographically binds each access token to a client key pair you control. A stolen token cannot be used without the corresponding private key.
📘

Note:

Contact your Tango representative, Customer Success Manager (CSM), or [email protected] to enable the API key management on your production platform. See the steps in Get started with Tango API.

Use case

Here are some use case examples on when to use more than one service account:

  • Distributed Point of Sales
    Acme Sporting Goods Company franchises hundreds of retail stores across North America. Each independent franchise is individually connected to the Tango platform. To ensure secure connections, Acme uses OAuth 2.0 to connect to the Tango API. With OAuth, they can use one client credential and create multiple service accounts—one for each retail store. If a store is compromised, Acme can deactivate the specific service account associated with that store, ensuring that all other stores remain unaffected. OAuth 2.0 allows Acme to maintain service continuity without compromising system security.
  • Multiple Software Application Connections
    Acme Health Care has integrated the Tango API into multiple software applications. Their proprietary application, which sends rewards to healthcare customers, uses one service account. Additionally, their accounting software, connected to the Tango API for managing account funding, uses a second service account. By leveraging OAuth 2.0 to create multiple service accounts, Acme has enhanced security and traceability. If one application is compromised, they can deactivate the specific service account without impacting the other application.

Why do we recommend OAuth?

  • Service continuity—the token Time-To-Live is either 24 hours or 5 minutes, depending on the selected audience, and the API connection is not interrupted when rotating credentials.
  • Additional layer of security—you can see the service account password only at the time of creation.
  • Ability to create an unlimited number of service accounts—this is especially helpful for users with multiple connections, locations, or departments.
  • Optional DPoP support—For the highest level of API security, Tango supports DPoP (RFC 9449) as an opt-in enhancement. DPoP binds tokens to your client's key pair, protecting against token theft, replay attacks, and lateral movement using leaked credentials. DPoP is optional but recommended for production integrations, especially for high-value transaction flows.

Required permissions

  • Both API keys (Basic Auth) and OAuth client credentials (OAuth) must be enabled for your production Tango platform. Contact your Tango representative. See the steps in How to get your API keys enabled.
  • Both Auth and OAuth require you to have the manage permissions for Tango API keys, enabled for your user under the Integrations permissions. If you’re not an admin, contact your Tango portal admin to give you permission. Learn how to Set user permissions and access level.

© 2026 Tango API are provided by Tango, a division of BHN, Inc.