Overview
Plugsky supports OAuth 2.0 authorization-code flow with PKCE (Proof Key for Code Exchange). This allows third-party apps to request limited access to a user's Plugsky workspace without exposing their API key.
Getting started
- Register your app — Contact hello@plugsky.com to register your OAuth application and receive a
client_idandclient_secret. - Choose a flow — For server-side apps, use the standard authorization-code flow. For single-page or mobile apps, use the PKCE flow.
- Redirect users — Send users to
https://plugsky.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=YOUR_URI&response_type=code&scope=read_write - Exchange the code — POST to
https://api.plugsky.com/oauth/tokenwith the authorization code to receive an access token.
Scopes
read— Read-only access to workspace datawrite— Create and modify resourcesadmin— Full administrative accessoffline_access— Receive a refresh token for long-lived access
Example (PKCE flow)
// 1. Generate code verifier and challenge
const verifier = crypto.randomUUID() + crypto.randomUUID();
const challenge = btoa(String.fromCharCode(...new Uint8Array(
await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))
))).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/,'');
// 2. Redirect user
window.location = `https://plugsky.com/oauth/authorize?` +
`client_id=YOUR_CLIENT_ID&` +
`redirect_uri=${encodeURIComponent('https://yourapp.com/callback')}&` +
`response_type=code&` +
`scope=read_write&` +
`code_challenge=${challenge}&` +
`code_challenge_method=S256`;
// 3. Exchange code for token (on your server)
fetch('https://api.plugsky.com/oauth/token', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
grant_type: 'authorization_code',
code: 'THE_AUTH_CODE',
redirect_uri: 'https://yourapp.com/callback',
client_id: 'YOUR_CLIENT_ID',
code_verifier: verifier,
})
});
Contact us
For OAuth app registration and integration support, email hello@plugsky.com.