AI
Pass
Get started
Docs>REST API>Endpoints Reference

REST API Endpoints Reference

Complete reference for user-facing management endpoints. For AI model calls (chat, images, audio), see the Integration Playbook.

OAuth2 Client Management

Register, list, update, and delete OAuth2 client applications. All endpoints require authentication.

POST/api/v1/oauth2/clients

Auth: Bearer token (user)

Register a new OAuth2 client. The client secret is only shown once in the response.

POST /api/v1/oauth2/clients
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "clientName": "My App",                    // required, 3-255 chars
  "redirectUris": ["myapp://auth/callback"], // redirect URIs
  "requestedScopes": ["api:access", "profile:read"],
  "requireConsent": true,                    // default: true
  "accessTokenTtlSeconds": 3600,             // default: 3600
  "refreshTokenTtlSeconds": 2592000          // default: 30 days
}

// Response 201:
{
  "success": true,
  "data": {
    "id": 1,
    "clientId": "abc123",
    "clientSecret": "secret_shown_once",
    "clientName": "My App",
    "clientType": "PUBLIC",
    "redirectUris": ["myapp://auth/callback"],
    "scopes": ["api:access", "profile:read"],
    "accessTokenTtlSeconds": 3600,
    "requirePkce": true,
    "requireConsent": true,
    "isActive": true,
    "createdAt": "2024-01-15T10:00:00",
    "updatedAt": "2024-01-15T10:00:00"
  }
}
GET/api/v1/oauth2/clients

Auth: Bearer token (user)

List all OAuth2 clients owned by the current user.

GET /api/v1/oauth2/clients
Authorization: Bearer ACCESS_TOKEN

// Response: { "success": true, "data": [OAuth2ClientDto, ...] }
GET/api/v1/oauth2/clients/{id}

Auth: Bearer token (owner)

Get details of a specific client. Only accessible by the owner.

PUT/api/v1/oauth2/clients/{id}

Auth: Bearer token (owner)

Update an OAuth2 client. Same body as POST.

DELETE/api/v1/oauth2/clients/{id}

Auth: Bearer token (owner)

Delete a client and all its associated authorizations.

POST/api/v1/oauth2/clients/{id}/deactivate

Auth: Bearer token (owner)

Soft-delete (deactivate) a client without removing data.

GET/api/v1/oauth2/clients/{clientId}/usage

Auth: Bearer token (owner)

Get usage stats for a client. Defaults to last 30 days.

GET /api/v1/oauth2/clients/{clientId}/usage?startDate=2024-01-01&endDate=2024-01-31
Authorization: Bearer ACCESS_TOKEN

// Query params (optional): startDate, endDate (ISO date format)

OAuth2 Consents

Manage which third-party apps have access to your account.

GET/api/v1/oauth2/consents

Auth: Bearer token (user)

List all apps the current user has authorized.

DELETE/api/v1/oauth2/consents/{clientId}

Auth: Bearer token (user)

Revoke access for a specific app. Deletes consent and invalidates tokens.

GET/api/v1/oauth2/consents/count

Auth: Bearer token (user)

Get count of authorized apps.

GET /api/v1/oauth2/consents/count
Authorization: Bearer ACCESS_TOKEN

// Response: { "success": true, "data": 3 }

Payments

Add funds to your account via Stripe checkout.

POST/api/v1/payment/create-checkout-session

Auth: Bearer token (user)

Create a Stripe checkout session to add funds.

POST /api/v1/payment/create-checkout-session
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "amount": 10.00   // required, minimum $0.50
}

// Response:
{
  "success": true,
  "data": {
    "sessionId": "cs_live_abc123",
    "checkoutUrl": "https://checkout.stripe.com/..."
  }
}
POST/api/v1/payment/verify-and-capture

Auth: Bearer token (user)

Verify and capture payment after Stripe redirect.

POST /api/v1/payment/verify-and-capture?session_id=cs_live_abc123
Authorization: Bearer ACCESS_TOKEN

Gift Cards

POST/api/v1/giftcard/redeem

Auth: Bearer token (user)

Redeem a gift card to add funds to your balance.

POST /api/v1/giftcard/redeem
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "code": "GIFT-XXXX-XXXX"   // required
}

// Response:
{
  "success": true,
  "data": {
    "success": true,
    "message": "Gift card redeemed successfully",
    "amountAdded": 5.00,
    "newBalance": 15.00
  }
}

Spaces

User workspaces for hosting AI-generated apps with public profiles.

PUT/api/v1/spaces/handle

Auth: Bearer token (user)

Set your space handle (username).

PUT /api/v1/spaces/handle
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "handle": "my-space"   // 3-40 chars, pattern: ^[a-z0-9][a-z0-9_-]{1,38}[a-z0-9]$
}
GET/api/v1/spaces/handle/check?handle={handle}

Auth: Public

Check if a handle is available.

GET /api/v1/spaces/handle/check?handle=my-space

// Response: { "success": true, "data": { "available": true } }
GET/api/v1/spaces/{handle}

Auth: Public

Get a space profile with published apps. Returns profile info, apps list, and isOwner flag.

GET/api/v1/spaces/me/apps

Auth: Bearer token (user)

Get all space apps for the current user (including unpublished).

POST/api/v1/spaces/generate

Auth: Bearer token (user)

Generate a new AI app from a prompt.

POST /api/v1/spaces/generate
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "prompt": "Create a color palette generator tool",  // 10-2000 chars
  "models": ["gpt-4o-mini"]                           // optional
}
PUT/api/v1/spaces/{slug}/edit

Auth: Bearer token (owner)

Edit an existing space app with a new prompt.

PUT /api/v1/spaces/{slug}/edit
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "prompt": "Add dark mode support"   // 5-2000 chars
}
DELETE/api/v1/spaces/{slug}

Auth: Bearer token (owner)

Delete a space app by slug.

Apps

Create and manage apps in the AI Pass app catalog.

POST/api/v1/apps

Auth: Bearer token (user)

Create a new app.

POST /api/v1/apps
Authorization: Bearer ACCESS_TOKEN
Content-Type: application/json

{
  "slug": "my-cool-app",           // optional, pattern: ^[a-z0-9]+(?:-[a-z0-9]+)*$
  "name": "My Cool App",           // required, max 200
  "shortDescription": "A brief description",  // required, max 300
  "longDescription": "...",         // max 5000
  "category": "productivity",      // max 50
  "tags": ["ai", "tools"],
  "features": ["Feature 1"],
  "iconUrl": "https://...",
  "appType": "HTML",               // required: HTML or EXTERNAL
  "htmlContent": "<div>...</div>",  // for HTML apps
  "externalUrl": "https://..."      // for EXTERNAL apps
}
GET/api/v1/apps/me

Auth: Bearer token (user)

Get all apps owned by the current user.

PUT/api/v1/apps/{slug}

Auth: Bearer token (owner or admin)

Update an app. All fields are optional — only send fields to change.

DELETE/api/v1/apps/{slug}

Auth: Bearer token (owner or admin)

Delete an app by slug.

POST/api/v1/apps/{slug}/publish

Auth: Bearer token (owner or admin)

Publish an app (makes it visible in the catalog).

POST/api/v1/apps/{slug}/unpublish

Auth: Bearer token (owner or admin)

Unpublish an app (removes from catalog but keeps data).

POST/api/v1/apps/{slug}/unlist

Auth: Bearer token (owner or admin)

Unlist an app (accessible by direct link only).

POST/api/v1/apps/upload-icon

Auth: Bearer token (user)

Upload an app icon image.

POST /api/v1/apps/upload-icon
Authorization: Bearer ACCESS_TOKEN
Content-Type: multipart/form-data

// Form field: "file" (image file)

// Response: { "success": true, "data": { "url": "https://..." } }

For AI model endpoints (chat, images, audio, embeddings), see the Integration Playbook.

Using Claude Code, Cursor, or another AI agent?

Drop the AI Pass skill into your agent and skip the manual setup. Works with Claude Code, Codex, Cursor, OpenCode, and 38+ other agents.

npx skills add aipass-one/skill

Two skills available: aipass-api (personal use) and aipass-oauth-app (for app builders).

Stuck? We're happy to help on Discord

Active Discord community with the AI Pass team. Get unblocked on integration, ask about models, share what you're building.

Join AI Pass Discord