Skip to main content

What scopes does HASP support?

HASP uses Rich Authorization Requests (RFC 9396) instead of traditional OAuth scopes. Permissions are declared as structured authorization_details objects in the authorization URL. See Consent Screen for the supported types.

How long do access tokens last?

The credential lifetime is determined by the authorized agent’s expiry policy (default_expiry_hours). The expires_in field in the token response gives the exact lifetime in seconds.

Does HASP support refresh tokens?

No. When an access token expires, the user must re-authorize. This is intentional — agent credentials are short-lived by design to limit the blast radius of a leaked token.

Can I use client credentials grant?

No. HASP’s OAuth endpoint supports only the authorization code grant with PKCE. Unattended server-to-server access uses API keys, not OAuth.

My client secret is lost — what do I do?

Rotate it immediately from Developer Console → Applications → (your app) → Rotate client secret. You can set a grace period (up to 24 hours). The grace period keeps the old client secret valid for client authentication during migration. Already-issued access tokens are independent of the client secret and remain active until they expire or are explicitly revoked.

What happens when I revoke an application?

All credentials issued via the application are revoked immediately. Users that previously authorized your application will need to re-authorize if the application is re-registered. The revocation is permanent — revoked applications cannot be restored.

Can I restrict which agents can authorize?

The authorization request is scoped to the agent_id parameter you include in the authorization URL. The consent screen displays that specific agent — there is no user-selectable agent list. Specify a different agent_id in your authorization URL to delegate to a different agent.

Where are the OAuth discovery endpoints?

GET /.well-known/oauth-authorization-server
GET /v1/oauth/authorize
POST /v1/oauth/token
POST /v1/oauth/introspect
The metadata document at /.well-known/oauth-authorization-server is the RFC 8414 server metadata document and lists all supported endpoints, grant types, and PKCE methods.

Do test-mode applications use different endpoints?

No — the endpoints are the same. Test-mode applications issue test-mode credentials (hasp_agent_test_ prefix) that are isolated from live data.

Is there a rate limit on the token endpoint?

Yes. The token endpoint is rate-limited per client_id. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.

My authorization request is being rejected with invalid_request

Common causes:
  • code_challenge_method is not S256 (plain is not supported)
  • redirect_uri does not exactly match one registered on the application
  • code_challenge is missing or malformed
  • client_id does not match an active application