Snyk provides an OAuth2 API, primarily for use with Snyk Apps. It complies with RFC 6749.
Most endpoints are served from the Snyk API subdomain (for example, https://api.snyk.io), with the one exception being /oauth2/authorize which is served on the main app subdomain (for example, https://app.snyk.io).
Last updated
More information
Snyk privacy policy© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
To be called by the end user to authorize the client application to their Snyk organizations. Success returns a redirect to the provided redirect_uri, containing an authorization code which can be exchanged for an access token.
Redirection to authorization server. The Location header is set to the provided redirect_uri so the user's browser should follow this redirect automatically.
Allows the client application to exchange the authorization code received from the authorization server for an access token.
Successful token request
The access token granted to the client application.
"some_opaque_access_token_string"The number of seconds until the access token expires.
3599Refresh token that can be used to obtain a new access token. Will not be granted in client_credentials grants.
"some_opaque_refresh_token_string"The number of seconds until the refresh token expires.
15552000The type of token issued.
"bearer"The space-separated list of scopes granted to the client application.
"org.read org.project.read org.project.snapshot.read"ID of the newly created bot user.
"95233fa3-33cf-4dd3-a6ac-e040985e1a4f"Revokes an otherwise valid refresh token so it can't be reused. This is used when a refresh token is accidentally, or maliciously, leaked.
The client ID of the client application.
"64ae3415-5ccd-49e5-91f0-9101a6793ec2"The client secret of the client application.
"super_secret_client_secret"The refresh token to be revoked.
"some_opaque_refresh_token_string"The token has been revoked, or was invalid.