An access token is a short-lived credential your app sends on COSMIC API requests. Send it in theDocumentation Index
Fetch the complete documentation index at: https://docs.natecosmic.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header on each request:
Token types
- OAuth
- Personal access tokens
OAuth apps receive access tokens after the user authorizes your app and the authorization code is exchanged at the token endpoint.For public clients (for example browser SPA or mobile apps), PKCE is required and the code exchange can be done by the client without a
client_secret.For confidential clients (apps with a trusted backend), the backend performs the code exchange using the app’s configured client authentication method.OAuth responses usually include a refresh token and expires_in (seconds until the access token expires).When an OAuth access token is near expiry or already expired, request a new one with grant_type=refresh_token so the user does not need to repeat the browser authorization flow.See OAuth for the refresh request, client authentication, and error handling.Confirming access with GET /v1/me
After you obtain a token, call GET /v1/me with the same Authorization header you use for other API calls. The response includes the signed-in user and, for OAuth integration tokens, the scopes array (COSMIC API permissions on that access token).
To list organizations and members, use GET /v1/organizations and GET /v1/organizations/{organization_id}/organization-members with the appropriate scopes—not GET /v1/me.
See Authorization for how access is decided beyond scopes alone.