Authentication

hzel supports two authentication methods: OAuth (for applications and integrations acting on behalf of users) and Personal Access Tokens (for direct programmatic access).

All authenticated requests must include a bearer token in the Authorization header:

Authorization: Bearer <your-token>

OAuth

OAuth is the recommended method for third-party applications and integrations. It lets your application act on behalf of a hzel user without handling their credentials.

Register an OAuth application

Before starting the flow, register your application via the API. You must be authenticated as a hzel user to do this. You can also register and manage OAuth applications from Dashboard → Developer.

Step 1 — Redirect the user to the consent page

Build the authorization URL and redirect the user's browser to it. Generate a cryptographically random state value per request to prevent CSRF attacks.

https://hzel.org/oauth/consent
  ?client_id=<your-client-id>
  &redirect_uri=<your-redirect-uri>
  &response_type=code
  &state=<random-state>

The redirect_uri must exactly match one of the URIs registered for your application.

Step 2 — Handle the callback

After the user approves consent, hzel redirects their browser to your redirect_uri with code and state query parameters:

https://myapp.example.com/callback?code=<code>&state=<state>

If the user denies consent, the redirect instead carries error=access_denied.

Always verify that the state matches the value you sent in Step 1 before proceeding.

The authorization code is single-use and expires after 10 minutes.

Step 3 — Exchange the code for tokens

The redirect_uri must match exactly what you used in Step 1. Access tokens expire after 15 minutes (900 seconds).

Step 4 — Call the API

Use the access token as a bearer token on every API request. See Get current user below for a concrete example.

Step 5 — Refresh the access token

When the access token expires, exchange the refresh token for a new token pair. Refresh tokens are rotated on every use — the token you send is immediately invalidated. Always persist the latest refresh_token from the response.

Step 6 — Revoke a refresh token

Call this when a user disconnects your application or signs out. Revocation is idempotent — revoking an already-revoked token succeeds silently.

Managing your OAuth application

All app management endpoints return an OAuthApplicationView — the client_secret is never included. See the structure reference for the full field table.

Rotating the client secret immediately revokes all existing refresh tokens for the application. Users will need to re-authorize.

Public app info

This unauthenticated endpoint is used by the hzel consent page to display application identity before a user approves access.

{
  "data": {
    "client_id": "a1b2c3d4-0000-0000-0000-000000000001",
    "name": "My Integration",
    "description": "Optional description",
    "owner_name": "Alice Example"
  }
}

Personal Access Tokens (PATs)

PATs are long-lived tokens tied directly to your account. They are best suited for CI pipelines, scripts, and other automated workflows where an interactive OAuth flow is not practical.

Create a token

List tokens

Revoke a token

Revocation is immediate. In-flight requests using the revoked token are rejected. Returns 404 Not Found if the token ID does not exist.

Get current user

Returns identity information about the account that owns the token used for this request. Works with all auth methods.