Note:
As of May 14, 2025, all new client credentials require service accounts to enhance security and ensure uninterrupted service. For client credentials established prior to this date, we highly recommend transitioning to service accounts by November 14, 2025. See
Manage OAuth service accounts in Tango to add one.
To create an authorization token for OAuth and verify your system’s identity, you require a Client ID and Client secret referred to as OAuth client credentials. Additionally, for enhanced security, it’s also necessary to provide a username and password for the Service account. To generate Service Account, see Manage OAuth 2.0 service accounts in Tango.
Once you acquire a token, call the Tango API to establish the API connection. With OAuth 2.0, you can rotate your credentials with no downtime. See our API document to learn how you can Secure your connection with OAuth 2.0.
Note:
- OAuth credentials must be enabled for the first time. Contact your Tango representative to enable OAuth credentials for your Tango portal. See the steps in Get started with Tango API.
- You’re expected to manage your client credentials and service accounts.
- We recommend you to rotate your client credentials once a year. Client credentials never expire.
- The OAuth tokens are generated from OAuth credentials and expire in 24 hours (86400 seconds). Fetch a new token at least once every 24 hours to authenticate API calls. New tokens can be generated using the same client credentials and service accounts or the updated credentials. See how you can Acquire service account token.
Permissions
To access client credentials, you must have manage permissions for Tango API keys enabled for your user under the Integrations permissions. If you’re not an admin, contact your Tango portal admin to give you permission. Learn how to Set user permissions and access level.

Keep your OAuth client credentials safe
For your security, the client secret is masked by default in the Tango portal. Treat your client secret like a password and do not share it with unauthorized parties or over unsecured communication channels.
Note:
- Create a new OAuth client credential for your Tango platform whenever your client credentials have been compromised.
- Deactivate the client credentials when you no longer use the API integration connected to your Tango platform.
- You can have up to two active keys at the same time. You cannot reactivate client credentials, but you can generate a new credential and update the integrations that used the original credentials.
View OAuth client credentials
You can view your OAuth client credentials in the Tango portal for your API integration. Make sure to use the right production or sandbox environment when connecting to the Tango API. Tango allows API developers to test using a sandbox environment before integrating the production platform. See Set up work environment for Tango API.
To view your OAuth client credentials in Tango:
- Sign in to Tango portal.
- Click
Team settings > API credentials.
- Click an existing OAuth client credential to see the following information:
Field
|
Description
|
---|
Client ID
|
The client identifier for OAuth API connections. Copy the client ID and paste the value directly, or save it somewhere secure for later use.
|
Client Secret
|
The password for OAuth API connection. Copy the client secret and paste the value directly, or save it somewhere secure for later use.
|
Display name
|
The client credentials name to help you identify the key. You can edit this field later.
|
- To view the history of OAuth client credential, go to the Credential history tab.
- Select OAuth client credentials from the drop-down menu. You can narrow down your search by entering the credential name and find the following information:
Item
|
Description
|
---|
Action
|
Indicates whether the credential has been created, viewed, updated, or deactivated.
|
Credential name
|
Indicates the display name for your service account.
|
Date
|
Indicates the date and time the service account has been created
|
User’s name
|
Indicates the Tango portal user’s name who has created this service account
|
User’s email
|
Indicates the Tango portal user’s email address who created this service account
|
Client ID/API key
|
Shows the client ID
|
Credential type
|
Shows the type of credentials such as service account
|
- Click
to show or hide the table columns.
Generate new OAuth client credentials
To create a new token, you need to generate new OAuth client credentials. With OAuth, you can rotate your credentials with no downtime.
To generate new OAuth client credentials:
- Sign in to Tango portal.
- Click
Team settings > API credentials on the left menu. - Click OAuth client credentials > Create Credentials. You can create up to two active keys at any time.
- Client ID and Client Secret are generated automatically. Click
Copy next to their values.
- (Optional) Enter a Display name to help identify your client credentials later.
- Click Save display name.
New client credentials are generated and immediately accessible for use. To discover details regarding creation, update, or views, go to the Credential history page. - If you are creating client credentials for the first time, the next step is to create service accounts. See how you can Generate new OAuth service accounts. You must have both client credentials and service accounts to acquire an API token. See Acquire service account token.
Best practices:
Tango API token can be refreshed at most once a day. As a best practice, we recommend you to save the token and utilize it until it expires in 24 hours. Fetch a new token at least once every 24 hours to authenticate calls. See how you can
acquire a Tango access token.
Deactivate OAuth client credentials
You can have up to two active keys at the same time. When you deactivate a client credential, all active tokens are invalid and your integration is broken. If you’re still using that integration, you need to generate a new OAuth client credential. Deactivation cannot be reversed. You can deactivate an OAuth client credential for several reasons:
- A security best practice—to cycle them regularly
- To prevent harm— you think your API has been compromised
- To stay cautious—when people with access leave the company
To deactivate client credentials:
- Sign in to Tango portal.
- Click
Team settings > API credentials. - Click the OAuth client credentials box you are going to deactivate.
- Click Deactivate Client Credentials.
You’ll get a warning to update the credentials in your application before deactivating credentials. The app will stop working if you still use the deactivate credentials. - Click Deactivate credentials to confirm. A record of deactivated client ID can be seen under the Credential history page.
What’s next?
If you created client credentials for the first time, the next step is create service accounts for your API token. See Manage OAuth service accounts in Tango. See Acquire service account token.
More resources