# API Users

API Users allow for authorizing [external access](https://docs.umbraco.com/umbraco-cms/reference/management-api/external-access) to the Management API.

An API User is identical to a [regular User](https://docs.umbraco.com/umbraco-cms/fundamentals/data/users) except for one thing: It has no password. In fact, API Users are not allowed to log into the backoffice like regular Users.

Instead, API Users hold the Client Credentials used to authorize against the Management API. When an external source authorizes using Client Credentials, it effectively assumes the identity of the API User.

Since API Users are identical to regular Users their backoffice access can be controlled in the same way. This allows for imposing detailed access control on the external sources connected to the Management API.

![An API User in the backoffice](https://2050077833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb0WSXUuM7Qx5BfREagAI%2Fuploads%2Fgit-blob-7f4be5d13798c7d6964b6f371ca314cd78538975%2Fapi-user.png?alt=media)

{% hint style="info" %}
Client IDs for API Users are explicitly prefixed with `umbraco-back-office-`. This guards against API Users accidentally taking over one of the Client IDs used by the Umbraco core.
{% endhint %}

## Creating an API User

To create an API User:

1. Go to the **Users** section in the backoffice.
2. Select **Create -> API User**.
3. Enter the **Name** and **Email** of the new API user.
4. Select which **User group** the new user should be added to.
5. Click **Create user**.