Back to docs

API reference

OAuth integration

Build third-party apps with user consent and scoped access tokens.

Build third-party applications that connect to Styrar on behalf of a user or company workspace using OAuth 2.0 authorization code flow.

Plan requirement: Users must authorize from a workspace on Team or Agency to use programmatic API access. Free and Solo plans do not include API access. Your app should handle 403 responses and direct users to upgrade.

This flow is for partner apps that call the Styrar API on a user's behalf, such as planning tools, agency portals, or native extensions.

Prerequisites

  • A registered OAuth client with Styrar (contact support to register)
  • HTTPS redirect URIs allowlisted on the client (required in production)
  • client_secret stored only on your server (confidential clients), or PKCE for public/native clients

Flow overview

  1. Redirect the user's browser to the dashboard consent page.
  2. User signs in (if needed) and approves scopes.
  3. Styrar redirects to your redirect_uri with a one-time code.
  4. Your server exchanges the code at POST /v1/oauth/token.
  5. Call /v1/ routes with Authorization: Bearer <access_token>.

Step 1: Start authorization

Redirect to the dashboard (not the API host):

GET https://styrar.com/oauth/authorize

Query parameters

ParameterRequiredDescription
client_idYesYour registered client id
redirect_uriYesMust match an allowlisted URI exactly
stateYesOpaque value you verify on callback (CSRF protection)
scopeNoSpace-separated scopes; see Authentication
company_idNoCompany workspace to bind the token to

Example:

https://styrar.com/oauth/authorize?client_id=my_app&redirect_uri=https%3A%2F%2Fapp.example.com%2Foauth%2Fcallback&state=8f3c2a1b&scope=posts%3Aread%20posts%3Awrite%20links%3Aread&company_id=clxyz123

User denial

?error=access_denied&state={state}

User approval

?code={authorization_code}&state={state}

Authorization codes expire in 10 minutes and are single-use.

Step 2: Exchange the code

Server-side request to the API:

RequestPOST
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "AUTHORIZATION_CODE_FROM_REDIRECT",
  "client_id": "my_app",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "https://app.example.com/oauth/callback"
}
Response200 OK
{
  "access_token": "opaque-token-string",
  "token_type": "Bearer",
  "scope": "posts:read posts:write links:read"
}

For public clients (native apps, Raycast), omit client_secret and send PKCE code_verifier instead.

Token endpoint rate limit: 60 requests per minute per client_id.

Step 3: Call the API

RequestGET
Authorization: Bearer YOUR_ACCESS_TOKEN
Accept: application/json

Granted scopes are the intersection of:

  • Scopes requested at authorize time
  • Scopes approved for your OAuth client
  • Scopes the user is allowed to grant in their workspace

Users must re-authorize to expand scopes on an existing token.

Default partner scopes

New partner apps typically receive:

  • posts:read, posts:write
  • links:read, links:write
  • social:read
  • analytics:read
  • campaigns:read, campaigns:write
  • automations:read, automations:write
  • approval_flows:*, approval_tasks:*

Not included by default: posts:delete, media:write, webhooks:*, social:write, billing:*, company admin scopes. Request additional scopes during client onboarding.

Workspace binding

  • Pass company_id at authorize to bind the token to a company workspace.
  • Omit company_id for personal workspace tokens.
  • Pass matching companyId on API requests for company resources.

Revoke access

Users review and disconnect apps at Settings → Connected apps (/settings/connected-apps). Revoked tokens return 401 on API calls.

Registering a client

Production partner onboarding:

  1. Provide app name, redirect URIs (HTTPS), and requested scopes.
  2. Styrar registers your OAuth client.
  3. You receive client_id and client_secret (confidential clients only).

Contact support to register a production OAuth client.

Join the beta waitlist

By signing up you agree to receive marketing email. See our Privacy Policy.