OAuth2 API
The OAuth2 API provides OAuth 2.0 authorization flows for third-party applications. This API is available to both individual and organization accounts.
Quick Navigation
Overview
This module provides:
- OAuth 2.0 Authorization Code flow
- OAuth 2.0 Client Credentials flow
- PKCE (Proof Key for Code Exchange) support
- Token revocation
- Application information for consent screens
Base Paths
- Public OAuth endpoints:
/oauth - API endpoints:
/api/v1/oauth
Authentication
- Authorization endpoints require user authentication
- Token endpoint uses client credentials
- App info endpoint is public (no authentication required)
Grant Types
- Authorization Code: For web applications (with PKCE support)
- Client Credentials: For server-to-server applications
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /oauth/authorize | Authorization endpoint (GET) |
| POST | /oauth/authorize | Authorization consent (POST) |
| POST | /oauth/token | Token endpoint |
| POST | /oauth/token/revoke | Token revocation |
| GET | /api/v1/oauth/app-info | Get application info (public) |
| POST | /api/v1/oauth/authorize | Authorization endpoint (JSON API) |
Internal Notes
- All endpoints are fully implemented
- Supports PKCE for enhanced security
- Authorization code expires after 10 minutes
- Tokens follow organization expiration settings
Swagger Documentation
Interactive API documentation available at: /docs#/oauth2