Connected apps (OAuth)
Let a customer authorize a third-party application against their project with OAuth 2.1 — full Product API access, scoped to what they grant. The alternative to API tokens.
A connected app is the second way to authenticate the Product API (the other is API tokens). Instead of a customer pasting a long-lived token into your software, they authorize your application against their project with OAuth 2.1 — and can revoke it at any time from the dashboard.
Once authorized, a connected app calls the full Product API with the scopes the customer granted: audience, events, segments, campaigns, automations, direct SMS and contact ingestion — the same surface a token of equivalent scope reaches. This is the path for building an integration or product on top of Instasent that many customers install.
What this guide will cover
- OAuth 2.1 for external apps — authorization code flow with PKCE, consent in the dashboard,
isoa_token prefix, refresh and revocation. - Dynamic Client Registration (DCR) — registering a client without a manual pre-registration step, and the rate limits that apply.
- Scopes and roles — how the scopes your app requests intersect with the authorizing user's role in the project.
- Verified vs unverified apps — what an unverified app can do during development, and the verification needed for production and marketplace listings.
Related
- API tokens — the other authentication method, for your own server-side integrations.
- AI agents & MCP — Platform overview for dashboard users.