# OAuth

Zuora recommends that you use OAuth v2.0 to authenticate to the Zuora REST API. 

You must first create an OAuth client in the Zuora UI before using the [Create an OAuth token](https://developer.zuora.com/api-references/api/operation/createToken) operation to create an OAuth token. See [Authentication](https://developer.zuora.com/rest-api/general-concepts/authentication/) for more information.


## Create an OAuth token

 - [POST /oauth/token](https://developer.zuora.com/v1-api-reference/api/oauth/createtoken.md): Creates a bearer token that enables an OAuth client to authenticate with the Zuora REST API. The OAuth client must have been created using the Zuora UI. See Authentication for more information.

Note: When using this operation, do not set any authentication headers such as Authorization, apiAccessKeyId, or apiSecretAccessKey.

You should not use this operation to generate a large number of bearer tokens in a short period of time; each token should be used until it expires. If you receive a 429 Too Many Requests response when using this operation, reduce the frequency of requests. This endpoint is rate limited by IP address.

For the rate limit information of authentication, see Rate and concurrent request limits.