Skip to main content
Once your partner application is approved, you manage your own OAuth2 clients — no Flexslot admin in the loop. A client is the credential your app uses to start the authorization code flow: a client_id, an optional client_secret, a set of redirect URIs, and the scopes the client may request. You can manage clients two ways:

From the dashboard

Account → API access at flexslot.gg/account?section=api-access. The OAuth applications card lets you point-and-click create, rotate, and revoke.

Programmatically

The me/partner/oauth2-clients endpoints, authenticated with a Personal Access Token. For scripts and CI.
Both paths share the same rules and the same one-time-secret behavior.

Confidential vs public clients

1

Confidential

Runs on a server you control. Gets a client_secret, shown once at creation. Sends the secret to the token endpoint via HTTP Basic auth. Choose this for a backend web app.
2

Public

Runs where you can’t keep a secret — a CLI, native app, or SPA. Gets no secret; security comes entirely from PKCE. Choose this for anything that ships to the user’s device or browser.
PKCE is mandatory for both types (RFC 9700). The client type only decides whether a secret exists.

Redirect URI rules

Every redirect URI is validated at creation. The rules are the same exact-match rules the authorization endpoint enforces:
  • HTTPS is required for every non-loopback URI.
  • HTTP is allowed only for the loopback hosts localhost, 127.0.0.1, and [::1] (native-app loopback per RFC 8252). The port is unconstrained.
  • No wildcards (*) anywhere in the URI.
  • No URL fragments (#...).
  • Custom native-app schemes (com.example.app://) are not accepted — native apps use a loopback redirect.
Redirect URIs are matched byte-for-byte at /authorize. Register every environment’s callback explicitly — a trailing slash or port mismatch is a different URI.

From the dashboard

1

Open Account → API access

The OAuth applications card lists your existing clients and a New application button.
2

Create a client

Enter a name, pick Confidential or Public, add one redirect URI per line, and check the scopes the client may request. Click Create application.
3

Copy the secret (confidential only)

A confidential client shows its client_secret once. Copy it immediately — it is never shown again.
4

Rotate or revoke later

Each client has Rotate secret (confidential only) and Revoke actions. Rotating invalidates the old secret immediately; revoking disables the client and signs out every user who authorized it.

Programmatically (Personal Access Token)

Mint a Personal Access Token from Settings → Personal Access Tokens, then call the management endpoints with it as a bearer token. These live under /api/public/v1/me/partner/oauth2-clients and resolve the partner from the token’s owner. 
curl -sS https://api.flexslot.gg/api/public/v1/me/partner/oauth2-clients \
  -H "Authorization: Bearer $FLEXSLOT_PAT"
A create or rotate response returns the client plus the one-time secret: 
{
  "client": {
    "client_id": "flx_client_01HX2K…",
    "client_type": "confidential",
    "application_name": "My Integration",
    "redirect_uris": ["https://app.example.com/oauth/callback"],
    "allowed_scopes": ["decks:read"],
    "status": "active"
  },
  "plaintext_client_secret": "flx_cs_01HX2K…",
  "secret_rotated_at": "2026-06-02T18:00:00Z"
}
For a public client, plaintext_client_secret is an empty string — there is no secret to copy.

Revocation is a cascade

Revoking a client is not just a status flip. It also revokes every grant and every access and refresh token issued under that client. Any user who authorized the client is signed out, and bearer tokens that client minted stop working immediately. This is deliberate: a status-only revoke would leave live tokens that the resource server still honors. Revoked clients are retained for audit but disappear from both the dashboard list and the API list.

Client limit

Each partner may hold up to 10 active clients (active or suspended count toward the limit; revoked clients do not). Revoke a client you no longer use to free a slot. If you need a higher limit, contact Flexslot.

Next steps

OAuth Quickstart

Use a client you just created to get an access token

Security best practices

Redirect URIs, PKCE, refresh rotation