Skip to Content
API ReferenceAuthentication

Authentication

Learn how to authenticate with the OpsPilot365 API.

API Keys

API keys provide programmatic access to OpsPilot365. Each key is scoped to your organization.

Creating an API Key

  1. Navigate to Settings → Integrations → API Keys
  2. Click “Create API Key”
  3. Enter a descriptive name
  4. Select permissions:
    • Read - View data only
    • Write - Create and update data
    • Admin - Full access including deletions
  5. Click “Create”
  6. Copy and securely store the key (it won’t be shown again)

Treat API keys like passwords. Never commit them to source control or expose them in client-side code.

Using API Keys

Include your API key in the Authorization header:

curl -X GET \
  -H "Authorization: Bearer op365_sk_live_abc123..." \
  https://api.opspilot365.com/v1/tenants

Key Prefixes

PrefixEnvironment
op365_sk_live_Production
op365_sk_test_Sandbox/Testing

OAuth 2.0

For applications that act on behalf of users, use OAuth 2.0.

Authorization Flow

  1. Redirect to authorization URL
https://auth.opspilot365.com/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=YOUR_REDIRECT_URI&
  response_type=code&
  scope=read:tenants write:users
  1. Exchange code for tokens
curl -X POST https://auth.opspilot365.com/oauth/token \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "redirect_uri=YOUR_REDIRECT_URI"
  1. Use access token
curl -H "Authorization: Bearer ACCESS_TOKEN" \
  https://api.opspilot365.com/v1/tenants

Refreshing Tokens

curl -X POST https://auth.opspilot365.com/oauth/token \
  -d "grant_type=refresh_token" \
  -d "refresh_token=REFRESH_TOKEN" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

Scopes

ScopeDescription
read:tenantsView tenant information
write:tenantsModify tenant settings
read:usersView user data
write:usersCreate/update users
read:licensesView license data
write:licensesAssign/remove licenses
adminFull administrative access

Security Best Practices

  1. Rotate keys regularly - Create new keys and deprecate old ones
  2. Use minimum permissions - Only request scopes you need
  3. Secure storage - Use environment variables or secret managers
  4. Monitor usage - Review API logs for suspicious activity
  5. IP allowlisting - Restrict key usage to known IPs (Enterprise)

Revoking Access

Revoking API Keys

  1. Go to Settings → Integrations → API Keys
  2. Find the key to revoke
  3. Click “Revoke”
  4. Confirm the action

Revoking OAuth Tokens

curl -X POST https://auth.opspilot365.com/oauth/revoke \
  -d "token=ACCESS_TOKEN" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"
Last updated on
API ReferenceAutomated Responses