OAuth Overview

Understand how OAuth 2.0 works with Orshot

Orshot uses OAuth 2.0 to let third-party apps access user data securely. Users explicitly grant your app permission to specific workspaces and actions — your app never sees their password.

Supported Grant Types#

Grant Type	Best For	Requires Browser?
Authorization Code + PKCE	Web apps, desktop apps, IDE extensions	Yes
Device Flow	CLI tools, devices without browsers	No (user visits a URL separately)

Both flows result in an access token and refresh token that your app uses to call the Orshot API.

The Big Picture#

┌──────────┐     1. Redirect to Orshot     ┌──────────┐
│          │ ───────────────────────────▶  │          │
│ Your App │                               │  Orshot  │
│          │  ◀─── 2. User approves ────── │  Consent │
│          │       (redirect with code)    │  Screen  │
└──────────┘                               └──────────┘
     │
     │ 3. Exchange code for tokens
     │    (POST /v1/oauth/token)
     ▼
┌──────────┐
│  Orshot  │
│   API    │ ◀── 4. Use access token to call API
└──────────┘

Endpoints#

All OAuth endpoints are relative to https://api.orshot.com.

Endpoint	Method	Purpose
`/oauth/authorize`	GET	Authorization consent screen (on `orshot.com`)
`/v1/oauth/token`	POST	Exchange code for tokens / refresh tokens
`/v1/oauth/device/code`	POST	Start a device flow
`/v1/oauth/introspect`	POST	Check if a token is valid
`/.well-known/oauth-authorization-server`	GET	Discovery metadata (RFC 8414)

The authorization URL (/oauth/authorize) is on the main website (orshot.com), while all API endpoints are on api.orshot.com.

Token Lifecycle#

Access tokens expire in 15 minutes
Refresh tokens expire in 30 days
Use refresh tokens to get new access tokens without re-prompting the user
Refresh tokens are rotated on each use — always store the new one from the response

See Token Management for details on refreshing and revoking tokens.

Workspace-Scoped Access#

Orshot access is always scoped to specific workspaces. When a user authorizes your app, they choose which workspaces to grant access to. Your tokens will only work for those workspaces.

If a user later removes a workspace from the grant, existing tokens for that workspace are automatically revoked.

Discovery Endpoint#

MCP-compatible clients and other tools can auto-discover Orshot's OAuth configuration:

curl https://api.orshot.com/.well-known/oauth-authorization-server

This returns all endpoints, supported scopes, grant types, and PKCE requirements per RFC 8414.

←

Authorization Code Flow

→

All Set? Let's Start Automating

Get Your API Key →

Image, PDF and Video Generation via API
Canva like editor with AI and smart features
No-Code Integrations (Zapier, Make, n8n etc.)
Embed Orshot Studio in your app
Start Free. No credit card required. Cancel anytime.