OAuth 2.0
OAuth 2.0 lets an application access the GPTfake API on behalf of a user without handling that user’s API key. Use it when you build a product whose users authenticate with their own GPTfake accounts. For server-side scripts that act only as you, use a plain API key instead.
When to use OAuth
| Scenario | Recommended |
|---|---|
| Multi-tenant app where each user has a GPTfake account | OAuth 2.0 |
| Your own backend, your own data | API key |
| Research notebook / one-off scripts | API key |
Authorization code flow
GPTfake uses the standard authorization-code flow:
- Redirect the user to the authorization endpoint with your
client_id,redirect_uri, requestedscope, and astatevalue. - The user approves access. GPTfake redirects back to your
redirect_uriwith a short-livedcode. - Exchange the code for an access token (and refresh token) at the token endpoint.
- Call the API with the access token as a bearer token.
# Step 1 — send the user here
https://api.gptfake.com/oauth/authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://your-app.com/callback
&scope=monitoring.read research.read
&state=RANDOM_STATE# Step 3 — exchange the code for tokens
curl -X POST https://api.gptfake.com/oauth/token \
-d grant_type=authorization_code \
-d code=AUTH_CODE \
-d client_id=YOUR_CLIENT_ID \
-d client_secret=YOUR_CLIENT_SECRET \
-d redirect_uri=https://your-app.com/callback{
"access_token": "ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "REFRESH_TOKEN",
"scope": "monitoring.read research.read"
}# Step 4 — call the API
curl https://api.gptfake.com/v1/monitoring/chatgpt/metrics \
-H "Authorization: Bearer ACCESS_TOKEN"Scopes
Request only the scopes you need:
| Scope | Grants |
|---|---|
monitoring.read | Read live & historical monitoring metrics |
research.read | Read research studies & publications |
research.export | Export datasets |
webhooks.write | Create and manage webhooks |
Refresh tokens
Access tokens are short-lived (expires_in seconds). Use the refresh token to obtain a new one without re-prompting the user:
curl -X POST https://api.gptfake.com/oauth/token \
-d grant_type=refresh_token \
-d refresh_token=REFRESH_TOKEN \
-d client_id=YOUR_CLIENT_ID \
-d client_secret=YOUR_CLIENT_SECRETStore client_secret and refresh tokens only on your server. Always verify the state parameter on the callback to prevent CSRF.
Next steps
- Simpler server-side access? Use an API key.
- Back to Authentication overview.