There is intentionally no SDK in v1. The OAuth endpoints below and the local management API are
the integration surface;
remote-notes-client is a full reference
implementation.Registering a client
Self-serve client registration is coming to the developer portal. Until then,
request an OAuth client for your app. You’ll receive a
clientId and — for
confidential clients (ones that can keep a secret) — a clientSecret shown once. Public clients
(no secret) are on the roadmap; confidential clients must send the secret on every token request.
You register one or more exact redirectUris.Authorization flow
Send the user to /oauth/authorize
redirect_uri?code=…&state=…; on denial, ?error=access_denied.Access token claims
Access tokens are EdDSA (Ed25519) compact JWS. Payload:| Claim | Value |
|---|---|
iss | meradomo-control |
sub | Account id (stable, opaque) |
email | Verified email address |
aud | Root host (e.g. you.meradomo.com) |
client_id | Your OAuth client id |
grant | Grant id (used for revocation) |
scope | connect |
iat | Issued-at (unix seconds) |
exp | Expiry: iat + 600 (10 minutes) |
jti | Unique token identifier |
GET https://account.meradomo.com/auth/pubkey (JSON with a publicKey
PEM field). The agent fetches and caches this key.
Refresh tokens
Refresh tokens are opaque, single-use, and stored hashed.400 invalid_grant. Refreshing after the grant was revoked returns 400 access_denied.
Revocation
The user can revoke your app from the menu-bar app or their account dashboard. Revocation is asynchronous within a short poll window:- New refresh-token requests fail immediately.
- Existing access tokens stop working within the next agent poll cycle (a few seconds in production).
CORS
POST /oauth/token and GET /auth/pubkey include permissive CORS headers so browser-based clients
can call them directly.
Error codes
| Code | Meaning |
|---|---|
invalid_client | Unknown or incorrect client |
invalid_grant | Code invalid, expired, already used, or PKCE mismatch |
access_denied | Grant revoked, or user denied consent |
unsupported_grant_type | Grant type not supported |
invalid_redirect_uri | Redirect URI not registered |
unsupported_response_type | Only code is supported |