ReplyNodes

OAuth Applications

Build apps that act on behalf of ReplyNodes users

OAuth Applications

OAuth applications allow you to build products and integrations that act on behalf of other ReplyNodes users. OAuth tokens work identically to personal API keys for all API endpoints.

Creating an OAuth App

OAuth apps are created and managed through the Developer section in the ReplyNodes app:

  1. Navigate to Settings → Developer
  2. Click "Create New OAuth App"
  3. Provide your application name and description
  4. Configure your callback URL (if needed)
  5. Accept the terms and create the app

Once created, you'll receive:

  • App ID - Unique identifier for your application
  • App Secret - Used for server-to-server requests (keep this private!)
  • Initial Token - Starting OAuth token with pos_ prefix

OAuth Token Format

All OAuth tokens are prefixed with pos_ and can be used directly in the Authorization header:

curl -H "Authorization: pos_your_oauth_token" \
  https://api.replynodes.com/public/v1/posts

Authentication Flow

For Web Applications

If you're building a web application that needs user permission:

  1. Generate an authentication URL:
curl -X GET https://api.replynodes.com/public/v1/social/twitter \
  -H "Authorization: YOUR_APP_SECRET"
  1. Redirect the user to the returned URL
  2. After they authorize, capture the returned token
  3. Store the token securely and use it for API requests on their behalf

For Backend Integration

For backend-to-backend integrations, use your app's initial token:

curl -X POST https://api.replynodes.com/public/v1/posts \
  -H "Authorization: pos_your_app_token" \
  -H "Content-Type: application/json" \
  -d '{ "posts": [...] }'

Token Management

Rotate Tokens

Tokens can be rotated through the app settings in ReplyNodes. This invalidates the old token and issues a new one:

# Rotate the current token
curl -X POST https://api.replynodes.com/public/v1/user/api-key/rotate \
  -H "Authorization: pos_your_current_token"

Revoke Tokens

To revoke an OAuth token permanently:

  1. Go to Settings → Developer
  2. Find your app
  3. Click "Revoke Token"

Revoked tokens will no longer authenticate API requests.

Scopes & Permissions

Each OAuth app has access to the full API scope on the organization it's installed in. Tokens inherit the permissions of the user or organization that authorized them.

Ensure users understand what data and actions your app will perform on their behalf.

Use Cases

Third-Party Integrations

  • Build plugins that extend ReplyNodes
  • Create integrations with other platforms (Zapier, Make, etc.)
  • Connect ReplyNodes to custom internal tools

Multi-Account Management

  • Build tools that manage multiple ReplyNodes accounts
  • Create client management dashboards
  • Automate account setup workflows

AI & Automation

  • Build AI agents that can schedule posts
  • Create workflow automation tools
  • Integrate with LLMs and model context protocols

Analytics & Reporting

  • Build custom analytics dashboards
  • Export performance data to data warehouses
  • Create compliance reports

Security Best Practices

  1. Never share your App Secret - Only use it for server-to-server requests
  2. Store tokens securely - Use environment variables or secure vaults, never hardcode
  3. Rotate tokens regularly - Periodically rotate app tokens for security
  4. Validate user permissions - Always verify the user has permission before acting on their behalf
  5. Log API usage - Maintain audit trails of all API actions
  6. Use HTTPS only - Always send tokens over HTTPS connections

Rate Limiting

OAuth tokens share the same rate limits as personal API keys. Your plan's quota applies to all requests made with your app's tokens.

Example: Building a Multi-Channel Publisher

# 1. Authenticate with OAuth token
API_TOKEN="pos_your_oauth_token"
BASE_URL="https://api.replynodes.com/public/v1"

# 2. Get available integrations
curl -X GET "$BASE_URL/integrations" \
  -H "Authorization: $API_TOKEN" | jq '.[] | {id, name, identifier}'

# 3. Create and schedule a post
curl -X POST "$BASE_URL/posts" \
  -H "Authorization: $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "posts": [{
      "value": [{
        "text": "Scheduled via OAuth! 🚀",
        "image": [{"path": "https://example.com/image.jpg"}]
      }],
      "integrations": ["twitter", "linkedin", "instagram"]
    }],
    "releasedAt": "2024-01-15T14:00:00Z"
  }'

Troubleshooting

"Invalid OAuth Token"

  • Ensure the token is prefixed with pos_
  • Check that the token hasn't been revoked
  • Verify the token is still valid (check expiration)

"Unauthorized Access"

  • Verify the OAuth app has been properly created
  • Ensure the app is installed in the organization
  • Check that the token hasn't expired

"Rate Limit Exceeded"

  • Check your plan's rate limits
  • Implement exponential backoff for retries
  • Consider batching requests

Next Steps