OAuth Applications
If you are building or hosting an app that needs to read or update data in someone else’s Apptoto account, register that app here. When a user clicks “Connect to Apptoto” inside your app, they are sent to an Apptoto consent screen that lists the scopes you requested, and on approval Apptoto issues your app an access token it can use against the Apptoto API.
Use OAuth when other people will authorize your app to act on their accounts. If you only need API access to your own account, use API Keys instead — they are simpler and do not require a consent flow.
Register an application
Section titled “Register an application”-
Open OAuth Applications — Navigate to Settings > Integrations > Developer Tools > OAuth Applications.
-
Click “Register OAuth Application” — An empty form opens with every available scope ticked by default. Untick any you do not need.
-
Fill in the application settings:
- Name — A friendly name for your application. Users see this on the consent screen, so use something they will recognize.
- Redirect URI — The URL Apptoto sends users back to after they approve or deny access. This must match the redirect URI your app uses when it starts the OAuth flow.
- Server-Side Application — Leave this on for apps that run on a server you control and can keep a client secret private (a Rails, Node, or Python backend, for example). Turn it off for apps that ship to end users — mobile apps, desktop apps, or single-page web apps — since any secret embedded in them can be read by anyone. Apps with this turned off authenticate using PKCE instead of a client secret.
- Scopes — Tick every scope your application will request. Users see this list when they authorize the app, and Apptoto rejects token requests that ask for any scope not ticked here.
-
Click “Create” — Apptoto saves the application and shows the Client ID and Client Secret at the top of the OAuth Applications list.
Available scopes
Section titled “Available scopes”Tick the scopes that match what your application needs. Users see the descriptions on the right-hand side when they are asked to approve the connection.
| Scope | What it allows |
|---|---|
calendars:read | View your calendars |
address_books:read | View your address books |
contacts:read | View your contacts |
contacts:write | Create, update, and delete your contacts |
events:read | View your calendar events |
events:write | Create, update, and delete events; mark event statuses |
bookings:read | View booking page availability and existing bookings |
bookings:write | Create bookings on your booking pages |
imports:read | Check the status of imports |
imports:write | Upload imports (CSV / ICS / XML) that bulk-create data |
lists:read | View your opt-in and opt-out lists |
lists:write | Modify your opt-in and opt-out lists |
messaging:read | View your conversations and message history |
messaging:send | Send SMS or email messages on your behalf |
Apptoto rejects token requests that ask for any scope not ticked on your application. Start broad while you are developing if you are not sure what you need — you can untick scopes later once the surface of your integration is settled.
Edit or delete an application
Section titled “Edit or delete an application”From the OAuth Applications list:
- Click the gear icon in the Actions column to change the name, redirect URI, server-side toggle, or scopes. The client ID stays the same; the client secret is not shown on edit and does not change.
- Click Delete on the edit screen to remove an application. Every access token Apptoto has issued to that application is revoked immediately, so any user who connected through it loses access until they re-authorize.
Related
Section titled “Related”- Authorized Applications — review and revoke OAuth applications that have been granted access to your account.