Skip to main content
Use OAuth 2.0 to let your users authorize your service to call the Monid API on their behalf. This is the right choice when your users manage their own Monid account and wallet.

1. Request OAuth Credentials

Email support@monid.ai to obtain:
  • Client ID
  • Client Secret
  • Whitelisted redirect URIs (only required if you host your own callback)
If you don’t have a callback URL, you can use Monid’s hosted callback to display the authorization code for the user to copy and paste:

2. OAuth Configuration

Monid follows standard OAuth 2.0 / OpenID Connect. Point your OAuth client library at the discovery document above and it will auto-configure the authorization, token, userinfo, and introspection endpoints.

Scopes

Request any subset of the following:

3. Authorization Flow

Monid uses the standard OAuth 2.0 authorization code flow (with PKCE recommended for public clients). Any OIDC-compliant client library will work — see oauth.net or your library’s docs for reference. The flow at a glance:
1

Redirect the user to /oauth/authorize

Include client_id, redirect_uri, scope, resource=https://api.monid.ai, and a state value.
2

Exchange the returned code at /oauth/token

You’ll get back an access_token and (if offline_access was requested) a refresh_token.
3

Use the access token

Send Authorization: Bearer <access_token> on every Monid API call.
For the exact request/response shape of each endpoint, use the OIDC discovery document — it’s the canonical source and always up to date.

4. Select a Workspace

A Monid user can belong to multiple workspaces. Every request to the Monid API must include an x-workspace-id header so Monid knows which workspace to operate against. List the workspaces the user has access to — see GET /v1/auth/workspaces:
Pick a workspace and include its ID on every subsequent call:

5. Call the API

Once you have an access token and a workspace ID, use the standard Monid API. See the API Reference for all available endpoints.
Access tokens from OAuth act like scoped API keys. Never expose them to end‑user browsers or mobile clients — keep them on your server.