Skip to main content
If you use Claude Code, you can install a Flexslot OAuth skill that teaches it to build a correct integration — the full authorization-code + PKCE flow, token refresh with rotation, scope handling, DPoP, and calling the game-scoped API — without you copy-pasting from these docs. The skill encodes everything on this site plus the exact endpoint contracts, so Claude generates working code (correct token lifetimes, game-scoped paths, refresh rotation) instead of guessing.

Download

Download the skill

flexslot-oauth-integration.skill — a single installable file for Claude Code.

Install

1

Download the file

Grab flexslot-oauth-integration.skill from the link above.
2

Add it to Claude Code

Move the file into your Claude Code skills directory:
mkdir -p ~/.claude/skills
mv ~/Downloads/flexslot-oauth-integration.skill ~/.claude/skills/
Claude Code discovers .skill files in ~/.claude/skills/ automatically. Restart Claude Code if it’s already running.
3

Verify it loaded

Ask Claude Code to list its skills, or just describe your task — the skill activates on its own when you mention a Flexslot OAuth integration.

Use it

Once installed, prompt Claude Code in plain language. It pulls in the skill when your request matches. Examples: 
Build a Node/Express app that lets users connect their Flexslot account and list their decks.

Add "Log in with Flexslot" to my React SPA using a public PKCE client.

My token refresh keeps returning invalid_grant — help me debug it.
The skill walks Claude through PKCE generation, the state/iss callback checks, the token exchange, refresh-token rotation, scope selection, and the game-scoped API calls. It covers TypeScript/Node, Python, browser SPA, and curl.
The skill is self-contained — it teaches Claude the flow and contracts, but it doesn’t ship your credentials. You’ll still register a client (Public or Confidential) from Account → API access and supply your own client_id / client_secret. See Managing OAuth Clients and the Quickstart.

What it covers

  • Authorization-code grant with PKCE (S256) — the only user-facing grant
  • Token exchange, proactive refresh, and refresh-token rotation handling
  • Scope selection and incremental authorization
  • The game-scoped resource API (/api/public/v1/games/{game}/...)
  • DPoP sender-constrained tokens (RFC 9449)
  • Token introspection and revocation
  • The full error catalog and a debugging checklist
Prefer to read rather than delegate? Everything the skill knows is on this site: start with the Quickstart and Authorization Code Flow.