OAuth integration
Build third-party apps with user consent and scoped access tokens.
Build third-party applications that connect to Styrar on behalf of a user or company workspace using OAuth 2.0 authorization code flow.
Plan requirement: Users must authorize from a workspace on Team or Agency to use programmatic API access. Free and Solo plans do not include API access. Your app should handle
403responses and direct users to upgrade.
This flow is for partner apps that call the Styrar API on a user's behalf, such as planning tools, agency portals, or native extensions.
Prerequisites
- A registered OAuth client with Styrar (contact support to register)
- HTTPS redirect URIs allowlisted on the client (required in production)
client_secretstored only on your server (confidential clients), or PKCE for public/native clients
Flow overview
- Redirect the user's browser to the dashboard consent page.
- User signs in (if needed) and approves scopes.
- Styrar redirects to your
redirect_uriwith a one-timecode. - Your server exchanges the code at
POST /v1/oauth/token. - Call
/v1/routes withAuthorization: Bearer <access_token>.
Step 1: Start authorization
Redirect to the dashboard (not the API host):
GET https://styrar.com/oauth/authorize
Query parameters
| Parameter | Required | Description |
|---|---|---|
client_id | Yes | Your registered client id |
redirect_uri | Yes | Must match an allowlisted URI exactly |
state | Yes | Opaque value you verify on callback (CSRF protection) |
scope | No | Space-separated scopes; see Authentication |
company_id | No | Company workspace to bind the token to |
Example:
https://styrar.com/oauth/authorize?client_id=my_app&redirect_uri=https%3A%2F%2Fapp.example.com%2Foauth%2Fcallback&state=8f3c2a1b&scope=posts%3Aread%20posts%3Awrite%20links%3Aread&company_id=clxyz123
User denial
?error=access_denied&state={state}
User approval
?code={authorization_code}&state={state}
Authorization codes expire in 10 minutes and are single-use.
Step 2: Exchange the code
Server-side request to the API:
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "AUTHORIZATION_CODE_FROM_REDIRECT",
"client_id": "my_app",
"client_secret": "YOUR_CLIENT_SECRET",
"redirect_uri": "https://app.example.com/oauth/callback"
}{
"access_token": "opaque-token-string",
"token_type": "Bearer",
"scope": "posts:read posts:write links:read"
}For public clients (native apps, Raycast), omit client_secret and send PKCE code_verifier instead.
Token endpoint rate limit: 60 requests per minute per client_id.
Step 3: Call the API
Authorization: Bearer YOUR_ACCESS_TOKEN
Accept: application/jsonGranted scopes are the intersection of:
- Scopes requested at authorize time
- Scopes approved for your OAuth client
- Scopes the user is allowed to grant in their workspace
Users must re-authorize to expand scopes on an existing token.
Default partner scopes
New partner apps typically receive:
posts:read,posts:writelinks:read,links:writesocial:readanalytics:readcampaigns:read,campaigns:writeautomations:read,automations:writeapproval_flows:*,approval_tasks:*
Not included by default: posts:delete, media:write, webhooks:*, social:write, billing:*, company admin scopes. Request additional scopes during client onboarding.
Workspace binding
- Pass
company_idat authorize to bind the token to a company workspace. - Omit
company_idfor personal workspace tokens. - Pass matching
companyIdon API requests for company resources.
Revoke access
Users review and disconnect apps at Settings → Connected apps (/settings/connected-apps). Revoked tokens return 401 on API calls.
Registering a client
Production partner onboarding:
- Provide app name, redirect URIs (HTTPS), and requested scopes.
- Styrar registers your OAuth client.
- You receive
client_idandclient_secret(confidential clients only).
Contact support to register a production OAuth client.
Related
- Authentication — Bearer tokens, scopes, plan limits
- Introduction — base URL, auth, and response codes
- API keys and connected apps