OAuth Overview

Understand how OAuth 2.0 works with Orshot

Orshot uses OAuth 2.0 to let third-party apps access user data securely. Users explicitly grant your app permission to specific workspaces and actions — your app never sees their password.

Supported Grant Types#

Grant Type	Best For	Requires Browser?
Authorization Code + PKCE	Web apps, desktop apps, IDE extensions	Yes
Device Flow	CLI tools, devices without browsers	No (user visits a URL separately)

Both flows result in an access token and refresh token that your app uses to call the Orshot API.

The Big Picture#

┌──────────┐     1. Redirect to Orshot     ┌──────────┐
│          │ ───────────────────────────▶  │          │
│ Your App │                               │  Orshot  │
│          │  ◀─── 2. User approves ────── │  Consent │
│          │       (redirect with code)    │  Screen  │
└──────────┘                               └──────────┘
     │
     │ 3. Exchange code for tokens
     │    (POST /v1/oauth/token)
     ▼
┌──────────┐
│  Orshot  │
│   API    │ ◀── 4. Use access token to call API
└──────────┘

Endpoints#

All OAuth endpoints are relative to https://api.orshot.com.

Endpoint	Method	Purpose
`/oauth/authorize`	GET	Authorization consent screen (on `orshot.com`)
`/v1/oauth/token`	POST	Exchange code for tokens / refresh tokens
`/v1/oauth/device/code`	POST	Start a device flow
`/v1/oauth/introspect`	POST	Check if a token is valid
`/.well-known/oauth-authorization-server`	GET	Discovery metadata (RFC 8414)

The authorization URL (/oauth/authorize) is on the main website (orshot.com), while all API endpoints are on api.orshot.com.

Token Lifecycle#

Access tokens expire in 15 minutes
Refresh tokens expire in 30 days
Use refresh tokens to get new access tokens without re-prompting the user
Refresh tokens are rotated on each use — always store the new one from the response

See Token Management for details on refreshing and revoking tokens.

Workspace-Scoped Access#

Orshot access is always scoped to specific workspaces. When a user authorizes your app, they choose which workspaces to grant access to. Your tokens will only work for those workspaces.

If a user later removes a workspace from the grant, existing tokens for that workspace are automatically revoked.

Development Mode & Sandbox#

All apps start in development mode (private). While in this mode:

Only the app owner and explicitly added test users can authorize and use the app
The consent screen shows an "unverified app" warning to test users
API calls from unauthorized users return a sandbox_restricted error

Once you publish your app, sandbox restrictions are removed and any Orshot user can authorize it. See Register Your App for details.

Discovery Endpoint#

MCP-compatible clients and other tools can auto-discover Orshot's OAuth configuration:

curl https://api.orshot.com/.well-known/oauth-authorization-server

This returns all endpoints, supported scopes, grant types, and PKCE requirements per RFC 8414.

←

Authorization Code Flow

→

Ready to automate?

Start rendering images, PDFs and videos from your templates in under 2 minutes. Free plan, no credit card.

Get your API key

Image, PDF and video generation via API
Visual editor with AI and smart layouts
Zapier, Make, MCP and 50+ integrations
White-label embed for your own app
60 free renders — no credit card required