Should I use an API key or OAuth?

Use an API key for your own server-side scripts and integrations. Use OAuth when you're building an app that other SkedCast users authorize to access their own workspaces.

How long do access tokens last?

OAuth access tokens are short-lived; use the refresh token to obtain a new one. API keys are long-lived with a mandatory expiry (up to a year) and can be revoked or rotated at any time.

SkedCast API authentication — API keys & OAuth 2.1

Developer docs

6 min read

API keys

An API key is a long-lived credential you create in Settings → Developer (Owner/Manager). It carries a curated set of scopes; its effective power is always your scopes ∩ your role, so a key can never exceed what the owning member can do.

Send it as a Bearer token on every request:

GET /v1/agency HTTP/1.1
Host: api.skedcast.com
Authorization: Bearer sked_live_AB12…

OAuth 2.1 (for third-party apps)

When an app or AI agent acts on behalf of a SkedCast user, use the OAuth 2.1 Authorization Code flow with PKCE (S256 required). Clients register dynamically (RFC 7591) — no manual app setup — and discover every endpoint from the metadata documents below.

OAuth endpoints

Method	Path	Purpose
GET	`/.well-known/oauth-authorization-server`	AS metadata (RFC 8414)
GET	`/.well-known/jwks.json`	Public keys for token verification
POST	`/oauth/register`	Dynamic client registration (RFC 7591)
GET/PUT/DELETE	`/oauth/register/:id`	Manage a registration (RFC 7592)
GET	`/oauth/authorize`	Authorization endpoint (PKCE)
POST	`/oauth/token`	Exchange code / refresh for an access token

The flow, end to end

Discover the AS metadata from the well-known document.
Register your client (DCR) to get a client_id.
Redirect the user to /oauth/authorize with a PKCE code_challenge + your scopes.
The user signs in and consents; you receive an authorization code.
Exchange the code at /oauth/token (with the code_verifier) for an access_token + refresh_token.
Call the API with Authorization: Bearer <access_token>; refresh when it expires.

authenticationapi-keysoauth

FAQ

Should I use an API key or OAuth?: Use an API key for your own server-side scripts and integrations. Use OAuth when you're building an app that other SkedCast users authorize to access their own workspaces.
How long do access tokens last?: OAuth access tokens are short-lived; use the refresh token to obtain a new one. API keys are long-lived with a mandatory expiry (up to a year) and can be revoked or rotated at any time.

Authentication