OAuth 2.0 Authentication — Getting Started. The v3 API uses OAuth 2.0 with Proof Key for Code Exchange (PKCE) for browser-based and mobile applications. Server-to-server integrations use the client_credentials grant type. To begin, register your application in the Developer Console to obtain a client_id and client_secret. For PKCE flows, generate a cryptographically random code_verifier of at least 43 characters, compute the code_challenge using SHA-256, and include both the code_challenge and code_challenge_method=S256 parameters in the authorization request. The authorization endpoint is https://auth.api.example.com/oauth/authorize. After the user grants consent, the authorization server redirects to your registered redirect_uri with an authorization code. Exchange this code, along with the code_verifier, at the token endpoint https://auth.api.example.com/oauth/token to receive an access token and refresh token. Access tokens are signed JWTs with a default TTL of 900 seconds (15 minutes).