Skip to main content
Gumloop supports OAuth 2.0, which is recommended if you’re building an application that other Gumloop users sign in to. The flow follows the standard authorization code grant with PKCE (S256) and issues refresh tokens.

Register an OAuth application

OAuth client registration is currently invite-only.
Email support@gumloop.com with your app name, use case, redirect URI(s), and logo. We’ll review and reach out with a client_id.

Redirect the user to Gumloop

When authorizing a user, redirect to the authorization endpoint with the correct parameters and scopes.

Example

Handle the redirect

After the user approves your app, Gumloop redirects them back to your redirect_uri with the authorization code and your state in the query string. Always validate that state matches the value you sent.

Exchange the code for tokens

Exchange the code (plus your PKCE code_verifier) for an access token.

Example

Response

Make API requests

Pass the access token as a bearer header on every request, exactly like an API key:

Refresh an access token

When expires_in elapses, exchange the refresh token for a new access token.

Revoke a token

Scopes

The gumloop_api scope requires the authorizing user to be on the Pro plan or above. Token exchange will fail if the user’s account does not meet this requirement.