OAuth 2.0 client-credentials

Mint a short-lived Bearer JWT from your ApiKey credentials and use it interchangeably with X-API-Key. Useful for pipelines that prefer OAuth over a static header.

Token endpoint

POST application/x-www-form-urlencoded to /api/v1/oauth/token. Pass client_id (your ApiKey.id) and client_secret (the plaintext key shown once on creation). Returns a 15-minute access_token.

curl -X POST https://duevestor.com/api/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<ApiKey.id>" \
  -d "client_secret=dvk_..."
# →
# {
#   "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
#   "token_type": "Bearer",
#   "expires_in": 900,
#   "scope": "reports:read reports:write monitoring:read"
# }

Use the token

Pass the JWT in the Authorization header. Every existing /api/v1/* route accepts it alongside X-API-Key.

curl https://duevestor.com/api/v1/reports \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiI..."

Introspect a token (RFC 7662)

POST the token to /api/v1/oauth/introspect (auth required via X-API-Key) to verify validity without parsing the JWT yourself.

curl -X POST https://duevestor.com/api/v1/oauth/introspect \
  -H "X-API-Key: dvk_..." \
  -d "token=eyJhbGciOiJIUzI1NiI..."

Notes

Tokens expire after 15 minutes. Mint a new one on demand — there is no refresh-token flow in v1.
Rate limits inherit from the underlying ApiKey tier (FREE/PRO/ENTERPRISE). A JWT does NOT bypass the per-key ladder.
Scopes are static in v1: reports:read, reports:write, monitoring:read. Sprint 13 introduces per-key configurable scopes.
Revoking the ApiKey at /app/api-keys invalidates every outstanding token immediately.