AgnicPay
Authentication

OAuth2 Integration

Let users authorize your app to make X402 payments on their behalf

OAuth2 Integration

OAuth2 allows your application to request permission from AgnicPay users to make X402 payments on their behalf. Users set their own spending limits and can revoke access anytime.

Why OAuth2?

  • User-controlled limits - Users set daily/monthly spending caps
  • Revocable access - Users can disconnect your app anytime
  • Network selection - Users choose which networks to allow
  • Long-lived tokens - Access tokens last 30-60 days with refresh

Authorization Flow

Step 1: Redirect to Authorization

Redirect users to our authorization endpoint:

https://api.agnic.ai/oauth/authorize?
  client_id=your-app-name
  &redirect_uri=https://yourapp.com/callback
  &state=random_csrf_token
  &scope=payments:sign+balance:read
  &response_type=code

Step 2: User Grants Permission

The user logs in, sets spending limits (per-transaction, daily, monthly), selects allowed networks, and approves your app.

Step 3: Receive Authorization Code

User is redirected back to your app with an authorization code:

https://yourapp.com/callback?code=abc123&state=random_csrf_token

Step 4: Exchange for Tokens

Exchange the code for access and refresh tokens:

curl -X POST https://api.agnic.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "abc123",
    "redirect_uri": "https://yourapp.com/callback",
    "client_id": "your-app-name"
  }'

Token Response

{
  "access_token": "agnic_at_abc123...",
  "refresh_token": "agnic_rt_xyz789...",
  "token_type": "Bearer",
  "expires_in": 2592000,
  "scope": "payments:sign balance:read"
}

Token Expiration:

  • Access tokens: 30-60 days (varies by client type)
  • Refresh tokens: 90 days
  • N8N tokens: 1 year (for automation workflows)

Using the Access Token

# Check user's balance
curl https://api.agnic.ai/api/balance \
  -H "Authorization: Bearer agnic_at_abc123..."
 
# Make X402 payment (AI Gateway)
curl https://api.agnic.ai/v1/chat/completions \
  -H "Authorization: Bearer agnic_at_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'
 
# Get transaction history
curl https://api.agnic.ai/api/transactions \
  -H "Authorization: Bearer agnic_at_abc123..."

Refreshing Tokens

When the access token expires, use the refresh token to get a new one:

curl -X POST https://api.agnic.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "agnic_rt_xyz789..."
  }'

Authorization Parameters

ParameterRequiredDescription
client_idYesYour application identifier
redirect_uriYesWhere to send user after authorization
stateYesCSRF protection token (returned unchanged)
scopeNoSpace-separated scopes (default: payments:sign balance:read)
response_typeYesMust be code
code_challengeNoPKCE code challenge (recommended)
code_challenge_methodNoPKCE method (default: S256)
promptNoControls consent behavior

Prompt Parameter

The prompt parameter follows the OpenID Connect standard:

ValueBehavior
(omitted)Auto-approve if user previously consented
noneSilent auth only - error if consent needed
consentForce consent screen even if previously consented
loginForce re-authentication before authorization

Returning users are auto-approved by default (like Google/GitHub). Use prompt=consent to force users to review permissions again.

CLI Client

The agnic CLI (v2.0.0+) uses OAuth2 Authorization Code + PKCE to authenticate via the browser — the same pattern as gh auth login, vercel login, and stripe login.

Client ID: agnic_cli

Flow:

  1. CLI starts a localhost HTTP server on a random port
  2. Browser opens to api.agnic.ai/oauth/authorize with PKCE challenge
  3. User signs in and sets spending limits on the consent screen
  4. Browser redirects to http://localhost:<port>/callback with auth code
  5. CLI exchanges code + PKCE verifier for tokens (90-day expiry)

Security:

  • PKCE is required for CLI clients (server rejects without code_challenge)
  • Localhost redirect only (http://localhost:<port>/callback or http://127.0.0.1:<port>/callback)
  • HTTP is correct for loopback per RFC 8252 §7.3
  • Server binds to 127.0.0.1 only (no network exposure)
  • Random ephemeral port, state parameter verified, 5-minute timeout
agnic auth login
# Opens browser → sign in → set limits → authenticated!

Register Your Application

To use OAuth2, contact us to register your application and get your redirect URIs whitelisted.

Register Your App →

For public clients (mobile apps, SPAs), we recommend using PKCE:

// Generate code verifier
const codeVerifier = generateRandomString(64);
 
// Create code challenge
const codeChallenge = base64UrlEncode(sha256(codeVerifier));
 
// Include in authorization URL
const authUrl = `https://api.agnic.ai/oauth/authorize?
  client_id=your-app
  &redirect_uri=https://yourapp.com/callback
  &state=random_state
  &response_type=code
  &code_challenge=${codeChallenge}
  &code_challenge_method=S256`;
 
// Include verifier in token exchange
const tokenResponse = await fetch('https://api.agnic.ai/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: authCode,
    redirect_uri: 'https://yourapp.com/callback',
    client_id: 'your-app',
    code_verifier: codeVerifier
  })
});

Next Steps

Available Scopes

API Reference

Previous

Authentication

Next

API Tokens

On this page

OAuth2 IntegrationWhy OAuth2?Authorization FlowStep 1: Redirect to AuthorizationStep 2: User Grants PermissionStep 3: Receive Authorization CodeStep 4: Exchange for TokensToken ResponseUsing the Access TokenRefreshing TokensAuthorization ParametersPrompt ParameterCLI ClientRegister Your ApplicationPKCE (Recommended)Next Steps