- Static API key
- OAuth 2.0
Every request carries three headers:The signature payload differs by HTTP method:
- POST/PUT/PATCH/DELETE: sign
{timestamp}.{body} - GET: sign
{timestamp}.{uri}(full path + query string)
multipart/form-data requests, sign the exact raw request body bytes with a timestamp prefix: {timestamp}.<raw-bytes>.Requests with timestamps older than 5 minutes are rejected.How to calculate
- Get the current Unix timestamp in milliseconds.
- Build the payload:
- POST/PUT/PATCH/DELETE:
{timestamp}.{raw-body} - GET:
{timestamp}.{uri}(for example/v2/members?limit=10&offset=0)
- POST/PUT/PATCH/DELETE:
- Calculate HMAC-SHA256 of the payload using your API secret.
- Hex-encode the digest (64 lowercase chars).
- Send both
X-SignatureandX-Timestamp.
Example — POST (Python)
Example — GET (Python)
Our API documentation tools cannot automatically generate HMAC signatures. Calculate the signature manually or use a tool like Postman with pre-request scripts.
OAuth scopes
OAuth bots are authorized by scope, not byread / write. Each /v2/* endpoint requires a specific scope — the bot must be granted that scope at creation, and the access token must include it.
| Scope | Grants access to |
|---|---|
channel:list | GET /v2/topics |
channel:read | GET /v2/topics/{topicId}, GET /v2/topics/external/{externalId} |
channel:write | POST /v2/topics, PATCH /v2/topics/{topicId}, POST/DELETE /v2/topics/{topicId}/members |
message:read | GET /v2/messages/{messageId}, GET /v2/topics/{topicId}/messages |
message:send | POST /v2/messages |
message:write | PATCH /v2/messages/{messageId}, DELETE /v2/messages/{messageId}, POST /v2/messages/{messageId}/delivered, POST /v2/messages/{messageId}/read |
reaction:write | POST /v2/messages/{messageId}/reactions, DELETE /v2/messages/{messageId}/reactions/{reactionId} |
task:read | GET /v2/tasks, GET /v2/tasks/{taskId} |
task:write | POST /v2/tasks, PATCH /v2/tasks/{taskId}, DELETE /v2/tasks/{taskId} |
poll:write | POST /v2/polls, POST/DELETE /v2/polls/{pollId}/votes/... |
member:read | GET /v2/members, GET /v2/members/me |
updates:read | GET /v2/updates |