OAuth 2.0
OAuth 2.0 is the recommended authentication method for new ZeyOS integrations. It uses standard authorization and token endpoints and supports authorization codes, refresh tokens, token revocation, token introspection, and PKCE.
Recommended
Use the authorization-code flow with PKCE for user-facing applications. Store client secrets and refresh tokens only in environments where they can be protected.
Base URL
Text
https://cloud.zeyos.com/{INSTANCE}/oauth2/v1
Replace {INSTANCE} with the ZeyOS instance name.
Authorization-Code Flow
- Redirect the user to
GET /authorizewith the client identifier, callback URL, state, and a PKCE challenge where applicable. - Receive the single-use authorization code at the registered callback URL.
- Exchange the code at
POST /tokenusinggrant_type=authorization_code. - Send the returned access token as
Authorization: Bearer <token>with REST API requests. - Exchange the refresh token at
/tokenwhen a new access token is required.
Token Management
- Use
POST /introspectto check whether a token is active. - Use
POST /revokewhen a token should no longer be accepted. - Use
GET /userinfoto retrieve information about the authenticated user.
OpenAPI Specification
Download the OAuth 2.0 OpenAPI specification for use with API clients and development tools.