# Authenticate as an Installation ### About Authenticating as an ICR App Installation Once your ICR App is installed on an account, you can make it authenticate as an app installation for API requests. This allows the app to access resources owned by that installation, as long as the app was granted the necessary access and permissions. API requests made by an app installation are attributed to the app. For example, if you want your app to update the `shortDescription` of a project owned by organization "Best organization", then you would authenticate as the "Best organization" installation of your app. The timeline of the issue would state that your app updated the shortDescription. To make an API request as an installation, you must first generate an installation access token. Then, you will send the installation access token in the `Authorization` header of your subsequent API requests. If a REST API endpoint works with an ICR App installation access token, the REST reference documentation for that endpoint will say "Works with ICR Apps." Additionally, your app must have the required permissions to use the endpoint. For more information, see "[Choosing permissions for an ICR App](https://documentation.carbonregistry.com/documentation/carbonregistry.com/api/apps/creating-icr-apps/registering-an-icr-app/permissions)." ### Using an Installation Access Token to Authenticate as an App Installation To authenticate as an installation with an installation access token, first use the REST API to generate an installation access token. Then, use that installation access token in the `Authorization` header of the REST API. The installation access token will expire after 2 hours. ### Generating an Installation Access Token 1. Generate a JSON web token (JWT) for your app. For more information, see "[Generating a JSON Web Token (JWT) for an ICR App](https://documentation.carbonregistry.com/documentation/carbonregistry.com/api/apps/authentication/generate-a-jwt)". 2. Get the ID of the installation that you want to authenticate as. If you are responding to a webhook event, the webhook payload will include the installation ID. You can also use the REST API to find the ID for an installation of your app. For example, you can get an installation ID with the `GET - /app/organizations/:organizationId/installation` or `GET /app/installations` endpoint for paginated response of all installations for your particular app. 3. Send a REST API `POST` request to `/app/installations/:installationId/accessTokens`. Include your JSON web token in the `Authorization` header of your request. Replace `installationId` with the ID of the installation that you want to authenticate as.
For example, send this curl request. Replace `INSTALLATION_ID` with the ID of the installation and `JWT` with your JSON web token: ```shell curl --request POST \ --url "https://api.carbonregistry.com/app/installations/INSTALLATION_ID/accessTokens" \ --header "Authorization: Bearer JWT" ``` NOTE: the installation access token will have all of the permissions that were granted to the app. The installation access token cannot be granted permissions that the app was not granted. The response will include an installation access token, the time that the token expires, the permissions that the token has, and the organization that the token can access. The installation access token will expire after 2 hours. For more information about this endpoint, see "[Installation access token](https://documentation.carbonregistry.com/documentation/carbonregistry.com/endpoints/v0.5/apps#installation-access-token)" ### Authenticating with an Installation Access Token To authenticate with an installation access token, include it in the `Authorization` header of an API request. Your app must have the required permissions to use the endpoint. For more information, see "[Choosing permissions for an ICR App](https://documentation.carbonregistry.com/documentation/carbonregistry.com/api/apps/creating-icr-apps/registering-an-icr-app/permissions)." In the following example, replace `INSTALLATION_ACCESS_TOKEN` with an installation access token: ```shell curl --request GET \ --url "https://api.carbonregistry.com/projects" \ --header "Authorization: Bearer INSTALLATION_ACCESS_TOKEN" ```