OAuth 2.1
Use authorization code with PKCE and Connect protected resource discovery.
OAuth clients use authorization code with PKCE. The authorization server is
https://auth.torqee.app, and its OAuth endpoints include the BetterAuth base
path:
| Endpoint | URL |
|---|---|
| Authorization | https://auth.torqee.app/api/auth/oauth2/authorize |
| Token | https://auth.torqee.app/api/auth/oauth2/token |
Resource indicator
When requesting authorization, include the RFC 8707 resource parameter:
Connect validates the access token audience against that resource. Tokens issued for another audience are rejected.
Protected resource discovery
When a request has no valid Bearer credential, Connect returns a 401 response
with a WWW-Authenticate header pointing at protected resource metadata:
Fetch the metadata endpoint to discover the resource, authorization server, and supported scopes:
Scopes
Request only the scopes your integration needs:
| Scope | Allows |
|---|---|
torqee:sessions:read | List sessions and read session metadata. |
torqee:transcripts:read | Search transcripts and read transcript segments. |
torqee:boards:read | List and read AI board contents. |
If a token is valid but does not include the required scope, Connect returns
403 { "error": "insufficient_scope" }.