DigitalOcean OAuth API

Validated on 18 Aug 2025 • Last edited on 28 Aug 2025

OAuth 2.0 is an open standard for authorization that enables third-party applications to obtain limited access to a service. The DigitalOcean OAuth API lets you obtain limited access to DigitalOcean teams by delegating authentication to DigitalOcean.

About the DigitalOcean OAuth API

Our OAuth API supports the authorization code flow meant for web applications running on a server. It also supports the implicit authorization flow. This is useful for client-side applications such as mobile or desktop clients where the client secret should not be stored on the user’s device.

The DigitalOcean authorization server, https://cloud.digitalocean.com/v1/oauth, has the following endpoints:

Endpoint Description
/authorize Request user authorization
/token Request an authorized access token
/refresh Refresh an access token using a refresh token
/revoke Revoke an access token

To use the OAuth API, first register your application to use OAuth. Registering an application assigns it a client ID and client secret which you then use in API calls to the DigitalOcean authorization server.

For issues and errors, use the OAuth API troubleshooting guide.

/authorize: Request User Authorization

Use the https://cloud.digitalocean.com/v1/oauth/authorize endpoint as an authorization link to send to a user for your registered OAuth application.

Example

You can view an example link for a registered OAuth application in the control panel. On the OAuth Applications page, click the next to the application’s name, then click View to open the Oauth Application Details window. In this window, the Link to authorization code section has an example link.

Parameters

Parameter Type Necessity Description
client_id string Required The client ID for your registered OAuth application on DigitalOcean.
redirect_uri string Required The callback URL where users are sent after authorization. Must match the callback URL you provided during application registration.
response_type string Required Set to code to request an authorization code. Set to token to request an OAuth token for implicit authorization.
scope string Optional See all token scopes.
state string Optional An unguessable random string. Used to protect against request forgery attacks. Recommended.
prompt string Optional A space-separated list of strings that Defines the behavior of the authorization page as shown to the user when they authorize an OAuth application. See values below.

The response_type parameter can have the following values:

  • code: Requests an authorization code. Used for the authorization code flow for web applications.

    When you use this response type, you request the access token grant with the /token endpoint.

  • token: Requests an OAuth token. Used for the implicit authorization flow for client-side applications.

    When you use this response type, you receive the access token grant in a callback.

The prompt parameter can have the following values:

  • select_account (default):

    • If a user is not signed in, they are required to sign in.

    • Signed-in users must authorize the OAuth application before proceeding.

  • none:

    • Signed-in users who have already authorized the application are redirected back to the valid redirect_url with a new token. A hint can be used by specifying an i query parameter with the first 6 characters of an expected account UUID.

    • Signed-in users who haven’t authorized the application are redirected with error=consent_required. Signed-out users are redirected with error=login_required.

Returns

If the user authorizes the application, DigitalOcean redirects back to your redirect_uri with the following parameters:

  • One of the following, depending on the specified response_type:

    • The code parameter with an authorization code. Use this in access token requests to the /token endpoint.

    • The token parameter with an OAuth token. Here is an example callback (access token grant) for token response types:

    https://example.com/callback#access_token=doo_v1_EXAMPLE4ea...381
  &token_type=bearer
  &expires_in=2592000
  &state=0807edf7d85e5d

  • The state parameter, if you specified one in the authorization request.

    Verify that the value of state in the response matches the one you provided in the request. If not, it indicates that the request may be a forgery attack created by a third party, and you should abort the request.

  • The expires_in parameter, which indicates the time remaining before the token expires in seconds.

The token is available to use to make requests via the DigitalOcean API until the token expires (30 days after being issues) or is otherwise invalidated (for example, revoked or refreshed).

POST /token: Request Authorized Access Token

If a user authorizes your application with the authorization code flow, make a POST request to the https://cloud.digitalocean.com/v1/oauth/token endpoint with the appropriate parameters to request the access token.

Example

Here is an example access token request using curl:

curl -X POST "https://cloud.digitalocean.com/v1/oauth/token?grant_type=authorization_code
  &code=f252c4bd6b1b4d249b7
  &client_id=4c413ac36ac22268
  &client_secret=b05a2ad77b24f3
  &redirect_uri=https://example.com/callback"

Parameters

Parameter Type Necessity Description
grant_type string Required Must be set to authorization_code for an access token request.
code string Required The code received as a response to authorization with the /authorize endpoint.
client_id string Required The client ID for your registered OAuth application on DigitalOcean.
client_secret string Required The client secret for your registered OAuth application on DigitalOcean.
redirect_uri string Required Must match the callback URL that you supplied during application registration.

Response

If the request was successful, the authorization server returns a JSON access token grant similar to the following:

{
    "access_token": "doo_v1_EXAMPLE4efe8999d0892b6069bc754a78c656f8e843361e1e4d1cd04ac85c381",
    "token_type": "bearer",
    "expires_in": 2592000,
    "refresh_token": "dor_v1_EXAMPLE3104521c47be0b580e9296453ef4y319b02b5513469f0ec72d99af2e2",
    "info": {
        "name": "Sammy the Shark",
        "email":"[email protected]",
        "uuid":"EXAMPLE0-a636-11ec-9e9d-3381ceabe039",
        "team_uuid": "EXAMPLE1-a636-11ec-a6ac-1323bf96ef4d",
        "team_name": "My Team"
    }
}

In addition to other information, the response includes two important items: access_token and refresh_token.

The access token is available to use to make requests via the DigitalOcean API until the token expires or token is otherwise invalidated.

POST /refresh: Refresh Token

Each access token comes with a refresh token. You can use a refresh token exactly once to create a new access token (and refresh token). Doing so invalidates the access token that the refresh token was issued with. A common use case is refreshing an expired token.

To refresh a token, make a POST request to the https://cloud.digitalocean.com/v1/oauth/refresh endpoint with the appropriate parameters.

Parameters

Parameter Type Necessity Description
grant_type string Required Must be set to refresh_token for a token refresh request.
refresh_token string Required The refresh_token that was received with the original access token.

Response

The refresh token response is in the same format as the original access token grant. See the response for /token.

POST /revoke: Revoke Token Flow

Revoking an access token invalidates it so that it cannot be used.

To revoke an access token, send a POST request to the https://cloud/digitalocean.com/v1/oauth/revoke endpoint with an Authorization: Bearer header and the appropriate parameters.

Parameters

Parameter Type Necessity Description
token string Required Must be set to the value of the access token.

Response

The response to this request is an empty JSON object.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.