Storyden
Auth

O Auth Refresh Token List

List OAuth refresh tokens issued to the authenticated account. This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions. This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

List OAuth refresh tokens issued to the authenticated account.

This is the member-facing "authorised applications" view: it lists apps the signed-in account has authorised and can revoke. In OAuth terms, these rows are grants/tokens, not application definitions.

This may include grants for built-in first-party clients such as the default Storyden CLI. Those clients are not created by the member and therefore do not appear in the member OAuth client list.

GET/auth/oauth/tokens

Authorization

browser
storyden-session<token>

In: cookie

Response Body

application/json

application/json

curl -X GET "https://loading/api/auth/oauth/tokens"
{
  "tokens": [
    {
      "id": "cc5lnd2s1s4652adtu50",
      "createdAt": "2019-08-24T14:15:22Z",
      "oauth_client_id": "cc5lnd2s1s4652adtu50",
      "client_id": "string",
      "client_name": "string",
      "account_id": "cc5lnd2s1s4652adtu50",
      "scope": "string",
      "expires_at": "2019-08-24T14:15:22Z",
      "revoked_at": "2019-08-24T14:15:22Z",
      "replaced_by_token_id": "cc5lnd2s1s4652adtu50",
      "last_used_at": "2019-08-24T14:15:22Z"
    }
  ]
}
Empty
{
  "error": "string",
  "message": "string",
  "suggested": "string",
  "metadata": {}
}
Edit on GitHub

O Auth Refresh Token Delete DELETE

Revoke one OAuth refresh token issued to the authenticated account. This prevents future refresh-token use for the selected grant. Existing JWT access tokens remain valid until their expiry.

O Auth Token POST

Exchange an OAuth authorisation code, device code, refresh token, or client credentials grant for tokens. Supported grants are advertised by `/.well-known/openid-configuration`. Public clients authenticate with `client_id` only and must use grants suitable for public clients, such as device code or authorisation code with PKCE. Confidential clients must provide `client_secret` for authorisation-code, refresh-token, and client-credentials exchanges. Storyden access tokens are short-lived JWTs containing the issued `scope`. Revoking a refresh token or changing account permissions does not revoke an already-issued access token; permission changes are applied on the next token issuance or refresh. Device-code polling returns OAuth-compatible errors such as `authorization_pending`, `slow_down`, `expired_token`, `access_denied`, and `invalid_grant`.