Connected apps with OAuth
Use OAuth when your app or agent needs a revocable token for a Lipafy user. Use an API key only for your own account or server-side automation that you control.
What is supported
Lipafy currently supports:
- Authorization code flow with PKCE (
S256) - Refresh tokens with rotation
- Dynamic client registration
- Token revocation
- Public clients with
token_endpoint_auth_method: "none" - Confidential clients with
client_secret_basicorclient_secret_post - OAuth Protected Resource Metadata for MCP clients
Current scopes:
Capability execution is still governed by the user’s wallet balance, grants, spending controls, approvals, and mandates.
Discovery
Returns the OAuth endpoints, supported grants, PKCE methods, token endpoint auth methods, and supported scopes.
For MCP, Lipafy also exposes:
Register a client
For a confidential server-side client, use client_secret_basic or client_secret_post. Lipafy returns a client_secret only when the token endpoint auth method is not none.
Send the user to authorize
Create a PKCE verifier/challenge pair, then redirect the user:
If the user is not signed in, Lipafy sends them to the dashboard login page first, then returns them to the same authorization request.
After approval, Lipafy redirects back to your redirect_uri with a single-use code:
Always verify state before exchanging the code.
Exchange the code
For a public client:
For a confidential client, authenticate with either HTTP Basic auth or client_secret_post.
The response includes:
Call Lipafy
Use the access token as a bearer token:
Lipafy resolves the OAuth grant, checks wallet balance and spending controls, and executes the paid call only if it is allowed.
Refresh tokens
Refresh tokens rotate. Store the new refresh token returned by each refresh response and discard the old one.
Revoke tokens
Users can also revoke connected apps from the Lipafy dashboard.
