# Authentication
You, as a content partner, may choose to protect your endpoint which Cornerstone will hit to fetch new and updated content. At a minimum, your endpoint must support SSL (HTTPS). Optionally, you can choose to enforce OAuth 2.0 or basic authentication.
TIP
During the initial setup phase of your integration, you will need to communicate your choice of using OAuth 2.0 or Basic Auth to your point of contact in the Cornerstone Content Services team.
# OAuth 2.0
We recommend that content providers use the OAuth 2.0 protocol for authentication. OAuth is the industry-standard protocol for authorization and authentication that enables a third-party application to obtain limited access to an HTTP service. If you choose to implement OAuth 2.0 on your endpoint, Cornerstone requires that you use the Client Credentials grant type.
In this method, you will provide Cornerstone’s Content Services Team with the API credentials (clientId and clientSecret). Cornerstone will exchange the credentials for a temporary access token by hitting your token endpoint. Cornerstone will then use the access token to call your content synchronization endpoint.
If you are using the Assets Connector, note that Cornerstone uses the same authentication credentials to retrieve the zip file that contains course assets.
# Basic Authentication
Basic authentication is a simple authentication scheme built into the HTTP protocol. In this method, Cornerstone will send HTTP requests with the Authorization header that contains the word Basic followed by a space and a base64-encoded string username:password. You will provide the username and password to Cornerstone’s Content Services Team.
For example, to authorize as demo / p@55w0rd, Cornerstone will send the following in the request header: Authorization: Basic ZGVtbzpwQDU1dzByZA==
If you are using the Assets Connector, note that Cornerstone uses the same authentication credentials to retrieve the zip file that contains course assets.
# Custom API Key
Custom API Key authentication is a customized authentication. Cornerstone will send an HTTP Header that will include the Header Name and Token which were shared by the Provider with Cornerstone’s Content Services Team.
For example, to authorize a provider with header name: CustomApiKey Token:CustomT@Ken, Cornerstone will send the following in the request header: CustomApiKey: CustomT@ken