> ## Documentation Index
> Fetch the complete documentation index at: https://docs.busha.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Access

> Register your OAuth2 app, obtain your client credentials, and decide whether to start in sandbox or production.

## Before you begin

OAuth2 app registration sits inside your Busha business account. Make sure you have:

* A **Busha business account** with completed KYB (Know Your Business) verification.
* The **scopes** your integration needs. Review the [Scopes reference](./scopes) before registering — you request scopes at registration time, and an admin approves the bundle.

If you haven't set up a business account yet, follow the [Quick Start guide](../getting-started/quick-start) first.

***

## Register your OAuth2 app

<Steps>
  <Step title="Open Developer Tools">
    Sign in to your Busha business account at [app.busha.io](https://app.busha.io). In the sidebar, go to **Settings → Developer Tools → OAuth Apps** and click **Create App**.
  </Step>

  <Step title="Fill in the app details">
    Provide a name, homepage URL, and one or more **redirect URIs**. Select the [scopes](./scopes) your integration requires.

    <Warning>
      Register the **exact** redirect URI your app will send in the authorization request. Busha compares it byte-for-byte — a trailing slash, different casing, or a missing port makes it a different URI and the request will be rejected. HTTPS is required for all redirect URIs unless the host is `localhost`.
    </Warning>

    Submit. Your app lands in **pending** status.
  </Step>

  <Step title="Wait for approval">
    Busha admin reviews and approves your app. You'll be notified when the status changes. Approval grants your app the full set of scopes you requested — `approved_scopes = requested_scopes`.

    If your app shows `pending`, `rejected`, or `suspended` in the dashboard, authorization requests will fail with `unauthorized_client`.
  </Step>

  <Step title="Copy your client credentials">
    Once approved, open the app page and click **Reveal Client Secret**. The secret is shown **exactly once** — copy it into your secret manager immediately.

    Your credentials are:

    | Credential      | Format                             | Where to find it                           |
    | --------------- | ---------------------------------- | ------------------------------------------ |
    | `client_id`     | `busha-oauth2-{uuid}-{live\|test}` | App page, always visible                   |
    | `client_secret` | Opaque string                      | Click **Reveal Client Secret** (once only) |

    Use **Rotate Secret** on the same page if your secret is ever compromised.

    <Warning>
      `client_secret` belongs in your backend — never in a mobile app, single-page app, browser extension, or anything shipped to users. Store it in a secret manager (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager).
    </Warning>
  </Step>
</Steps>

***

## Sandbox vs production

Sandbox and production are fully isolated — they have separate URLs, separate OAuth2 clients, separate users, and separate tokens. Nothing crosses between them.

|                         | Sandbox                                      | Production                               |
| ----------------------- | -------------------------------------------- | ---------------------------------------- |
| **Purpose**             | Test your integration safely                 | Live customer traffic                    |
| **Approval turnaround** | Lighter-touch (ask your integration manager) | Standard KYB review                      |
| **Credentials**         | Separate `client_id` and `client_secret`     | Separate `client_id` and `client_secret` |
| **API host**            | `api.sandbox.busha.so`                       | `api.busha.io`                           |
| **OAuth2 issuer**       | `login.sandbox.busha.io`                     | `login.busha.io`                         |

<Note>
  Register a separate OAuth2 app for each environment. Never reuse production credentials in sandbox — the data sets are isolated and mixing credentials muddies your testing.
</Note>

To get sandbox access, complete partner onboarding at the sandbox host. Talk to your integration manager about approval turnaround.

***

## What's next

You have your `client_id` and `client_secret`. Now make your first authorized API call:

<Card title="Quick start" icon="bolt" href="./quick-start">
  Walk through the full authorization-code flow and call `GET /v1/balances` on behalf of a real user.
</Card>
