Endpoint summary
| Endpoint | Method | Purpose |
|---|---|---|
GET /v1/auth/authorize | GET | OAuth authorization endpoint (browser redirect) |
POST /v1/auth/token | POST | AuthService.ExchangeToken — code → tokens |
POST /v1/auth/token/refresh | POST | AuthService.RefreshToken — refresh → new access token |
POST /v1/auth/token/revoke | POST | AuthService.RevokeToken — invalidate a token |
Headers
| Header | Format | Used by |
|---|---|---|
Authorization | Bearer <access_token> | OAuth-authenticated requests |
x-api-key | <api_key_secret> | API-key requests |
Content-Type | application/json | Every request body |
Authorization or x-api-key, never both. Sending both returns ERROR_CODE_INVALID_REQUEST.
OAuth — wire-level
Authorization request
code_challenge_method=S256 is required. The legacy plain method is rejected.
Token exchange
Refresh
Revoke
Token introspection
AuthService includes TokenInfo for inspecting the active token’s scopes and expiration when needed. See sdk/auth/v1/token_info.proto.
Edge cases
| Situation | What happens |
|---|---|
Both Authorization and x-api-key sent | ERROR_CODE_INVALID_REQUEST |
| Expired access token | ERROR_CODE_UNAUTHENTICATED — refresh and retry |
| Refresh token used twice (after rotation) | ERROR_CODE_UNAUTHENTICATED — re-prompt user |
| API-key request to a stream-acquire endpoint | ERROR_CODE_PERMISSION_DENIED — wrong credential type |
OAuth token without the stream scope on Acquire*Stream | ERROR_CODE_PERMISSION_DENIED |
Related
- Usage / Authentication — narrative walkthrough.
- OAuth Scopes — what each scope grants.
- API Keys — server-to-server credential lifecycle.
- Errors — error code reference.