Storyden
Auth

O Auth Refresh Token List

List OAuth refresh tokens issued to the authenticated account. This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions. This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

GET/auth/oauth/tokens

List OAuth refresh tokens issued to the authenticated account.

This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions.

This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

Authorization

browser
storyden-session<token>

In: cookie

Response Body

application/json

application/json

curl -X GET "https://example.com/auth/oauth/tokens"
{
  "tokens": [
    {
      "id": "cc5lnd2s1s4652adtu50",
      "createdAt": "2019-08-24T14:15:22Z",
      "oauth_client_id": "cc5lnd2s1s4652adtu50",
      "client_id": "string",
      "client_name": "string",
      "account_id": "cc5lnd2s1s4652adtu50",
      "scope": "string",
      "expires_at": "2019-08-24T14:15:22Z",
      "revoked_at": "2019-08-24T14:15:22Z",
      "replaced_by_token_id": "cc5lnd2s1s4652adtu50",
      "last_used_at": "2019-08-24T14:15:22Z"
    }
  ]
}
Empty
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Refresh Token Delete DELETE

Revoke one OAuth refresh token issued to the authenticated account. This prevents future refresh-token use for the selected grant. Existing JWT access tokens remain valid until their expiry.

O Auth Token POST

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens. Supported grants are advertised by `/.well-known/openid-configuration`. Public clients authenticate with `client_id` only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide `client_secret` for authorisation-code, refresh-token, and client-credentials exchanges. Storyden access tokens are short-lived JWTs containing the issued `scope`. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh. Device-code polling returns OAuth-compatible errors such as `authorization_pending`, `slow_down`, `expired_token`, `access_denied`, and `invalid_grant`.