# OAuth OAuth 2.0 Authorization Code flow with PKCE, the recommended approach for connecting apps and services that act on behalf of a user. Desktop and CLI applications use this flow to obtain a token tied to a specific user's account without ever handling their password. Call order: 1. **Register** (`POST /oauth/register/`) — obtain a `client_id` (one-time, no auth required). 2. **Authorize** (`GET /oauth/authorize/`) — open the browser to the consent URL. The user approves the consent screen in the dashboard. 3. **Token** (`POST /oauth/token/`) — exchange the authorization code + PKCE verifier for an access token. The access token is used as a Bearer credential in the `Authorization` header, the same way as an API key. ## Register OAuth client (DCR) - [POST /public/v1/oauth/register/](https://docs.influencers.club/openapi/oauth/public_v1_oauth_register_create.md): Open endpoint — no authentication required. Desktop/CLI apps call this once to obtain a client_id they persist locally and reuse for all future authorize flows. ## Initiate OAuth authorization - [GET /public/v1/oauth/authorize/](https://docs.influencers.club/openapi/oauth/public_v1_oauth_authorize_list.md): OAuth 2.1 authorization endpoint. The client opens the browser at this URL; valid requests are redirected to the frontend consent page where the user approves access. ## OAuth token endpoint - [POST /public/v1/oauth/token/](https://docs.influencers.club/openapi/oauth/public_v1_oauth_token_create.md): Accepts application/x-www-form-urlencoded or application/json. authorization_code grant: grant_type, code, code_verifier, client_id, redirect_uri refresh_token grant: grant_type, refresh_token, client_id ## List connected OAuth apps - [GET /public/v1/oauth/apps/](https://docs.influencers.club/openapi/oauth/public_v1_oauth_apps_list.md): Returns all OAuth apps the authenticated user has authorized. ## Disconnect OAuth app - [DELETE /public/v1/oauth/apps/{app_id}/](https://docs.influencers.club/openapi/oauth/public_v1_oauth_apps_delete.md): Revokes the user's authorization for the given app and deactivates all associated access tokens.