Skip to Content

OAuth 2.0

OAuth 2.0 lets an application access the GPTfake API on behalf of a user without handling that user’s API key. Use it when you build a product whose users authenticate with their own GPTfake accounts. For server-side scripts that act only as you, use a plain API key instead.

When to use OAuth

ScenarioRecommended
Multi-tenant app where each user has a GPTfake accountOAuth 2.0
Your own backend, your own dataAPI key
Research notebook / one-off scriptsAPI key

Authorization code flow

GPTfake uses the standard authorization-code flow:

  1. Redirect the user to the authorization endpoint with your client_id, redirect_uri, requested scope, and a state value.
  2. The user approves access. GPTfake redirects back to your redirect_uri with a short-lived code.
  3. Exchange the code for an access token (and refresh token) at the token endpoint.
  4. Call the API with the access token as a bearer token.
# Step 1 — send the user here https://api.gptfake.com/oauth/authorize?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri=https://your-app.com/callback &scope=monitoring.read research.read &state=RANDOM_STATE
# Step 3 — exchange the code for tokens curl -X POST https://api.gptfake.com/oauth/token \ -d grant_type=authorization_code \ -d code=AUTH_CODE \ -d client_id=YOUR_CLIENT_ID \ -d client_secret=YOUR_CLIENT_SECRET \ -d redirect_uri=https://your-app.com/callback
{ "access_token": "ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "REFRESH_TOKEN", "scope": "monitoring.read research.read" }
# Step 4 — call the API curl https://api.gptfake.com/v1/monitoring/chatgpt/metrics \ -H "Authorization: Bearer ACCESS_TOKEN"

Scopes

Request only the scopes you need:

ScopeGrants
monitoring.readRead live & historical monitoring metrics
research.readRead research studies & publications
research.exportExport datasets
webhooks.writeCreate and manage webhooks

Refresh tokens

Access tokens are short-lived (expires_in seconds). Use the refresh token to obtain a new one without re-prompting the user:

curl -X POST https://api.gptfake.com/oauth/token \ -d grant_type=refresh_token \ -d refresh_token=REFRESH_TOKEN \ -d client_id=YOUR_CLIENT_ID \ -d client_secret=YOUR_CLIENT_SECRET

Store client_secret and refresh tokens only on your server. Always verify the state parameter on the callback to prevent CSRF.

Next steps