Authorization header: Authorization: Bearer <token>. The token embeds the user’s role-based access rights, which the server checks on every endpoint. Obtain a token from the OAuth 2.0 token endpoint POST /api/v1/oauth/token. The request body is form-encoded (application/x-www-form-urlencoded), as per OAuth 2.0.
| Grant | Description |
|---|---|
password | Exchange a user’s email address and password for an access token (for your own first-party software). |
refresh_token | Exchange a refresh token for a fresh access token, without asking for credentials again. |
authorization_code | Standard OAuth 2.1 authorization-code + PKCE flow, used by MCP clients and third-party apps. See the MCP server page. |
Access tokens are valid for 60 minutes; refresh tokens for 30 days. Refresh proactively, shortly before the access token expires, so long-running tools never make a call with an expired token.
# Password grant
curl -X POST https://stardraw.cloud/api/v1/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=you@example.com&password=YOUR_PASSWORD"
# Refresh grant
curl -X POST https://stardraw.cloud/api/v1/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN"The response is a standard OAuth token payload:
{
"token_type": "Bearer",
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"expires_at": 1717171717000
}For OAuth 2.1 / OpenID-style clients, the server publishes the usual discovery documents so clients can configure themselves automatically:
| Document | Endpoint |
|---|---|
| Authorization-server metadata (RFC 8414) | GET /.well-known/oauth-authorization-server |
| OpenID configuration alias | GET /.well-known/openid-configuration |
| Protected-resource metadata (RFC 9728) | GET /.well-known/oauth-protected-resource |
Ready to try it? Head to the API reference, press Authorize, paste your access token and run a call.