OAuth 2.0
For services and applications, CloudOptify supports standard OAuth 2.0 flows.
Client credentials (machine-to-machine)
Section titled “Client credentials (machine-to-machine)”Use a confidential client owned by your organization:
- In API Access → OAuth clients, create a client. Choose its allowed scopes.
- Copy the client ID and client secret — the secret is shown once.
- Exchange credentials for a token:
curl -X POST https://app.cloudoptify.com/oauth/token \ -d grant_type=client_credentials \ -d client_id=<client_id> \ -d client_secret=<client_secret>The response contains an access_token to use as a Bearer token against /api/v1/*. Tokens
carry the client’s allowed scopes (intersected with organization permissions).
Authorization code + PKCE (delegated)
Section titled “Authorization code + PKCE (delegated)”Applications acting on behalf of a signed-in user — including AI agents — use the standard authorization-code flow with PKCE. Endpoints and capabilities are published in the discovery document:
https://app.cloudoptify.com/.well-known/oauth-authorization-serverDynamic client registration is supported for this flow, so compatible clients can onboard without manual setup.
Revocation
Section titled “Revocation”Tokens can be revoked at any time (RFC 7009 revocation endpoint, or from the API Access page). Deleting an OAuth client invalidates the credentials it issued.
Choosing a flow
Section titled “Choosing a flow”| You’re building… | Use |
|---|---|
| A backend job or service | Client credentials |
| An app where a user signs in | Authorization code + PKCE |
| A quick script | An API token is simpler |