# Connected apps (OAuth)

Let a customer authorize a third-party application against their project with OAuth 2.1 — full Product API access, scoped to what they grant. The alternative to API tokens.

**Language:** en
**Audience:** developer
**Search keywords:** oauth, connected app, connected apps, authorization, oauth 2.1, dcr, dynamic client registration, scopes, permissions, verified app, third party app, authenticate as app
**Related pages:** /developers/product-api/authentication, /developers/product-api/mcp, /platform/en/ai-agents

> **Note**: This page is **coming soon**. The OAuth authorization server is in active
> development. For the dashboard-side view (approving and revoking apps), see
> [AI agents & MCP](/platform/en/ai-agents) in the Platform zone.

A **connected app** is the second way to authenticate the Product API (the other is [API tokens](/developers/product-api/authentication)). Instead of a customer pasting a long-lived token into your software, **they authorize your application against their project with OAuth 2.1** — and can revoke it at any time from the dashboard.

Once authorized, a connected app calls the **full Product API** with the scopes the customer granted: audience, events, segments, campaigns, automations, direct SMS and contact ingestion — the same surface a token of equivalent scope reaches. This is the path for building an integration or product on top of Instasent that many customers install.

> **Warning**: A connected app (OAuth) is **not** the same as the [MCP server](/developers/product-api/mcp).
> A connected app authenticates against the **full** Product API; MCP is a
> separate, agent-oriented surface with a **limited, read-leaning tool set** (for
> example, it does not ingest contacts). They both use OAuth, but they grant very
> different access.

## What this guide will cover

- **OAuth 2.1 for external apps** — authorization code flow with PKCE, consent in the dashboard, `isoa_` token prefix, refresh and revocation.
- **Dynamic Client Registration (DCR)** — registering a client without a manual pre-registration step, and the rate limits that apply.
- **Scopes and roles** — how the scopes your app requests intersect with the authorizing user's role in the project.
- **Verified vs unverified apps** — what an unverified app can do during development, and the verification needed for production and marketplace listings.

## Related

- [API tokens](/developers/product-api/authentication) — the other authentication method, for your own server-side integrations.
- [AI agents & MCP](/platform/en/ai-agents) — Platform overview for dashboard users.