Skip to content
Select themeSelect language

POST /settings/oauth/:provider/exchange — exchange auth code for tokens (code-paste flow)

POST
/api/settings/oauth/{provider}/exchange
curl --request POST \
--url https://example.com/api/settings/oauth/example/exchange \
--header 'Content-Type: application/json' \
--cookie supacloud_session=<supacloud_session> \
--data '{ "code": "example", "state": "example" }'
provider
required
string

OAuth provider name (e.g. anthropic, openai, google, copilot, openrouter)

Media typeapplication/json
object
code
required
string
state
required
string
Examplegenerated
{
"code": "example",
"state": "example"
}

OAuth connection status after successful code exchange

Media typeapplication/json
object
account_email
string | null
connected
required
boolean
consecutive_refresh_failures

Number of consecutive proactive-refresh failures since the last successful refresh. Frontend uses this to drive the warning state.

integer format: int32
expires_at
string | null format: date-time
id

#532 (A5) — the underlying agent_oauth_tokens.id, present whenever the status is backed by a stored token (the /settings/oauth list + per-provider status). It is the credential id the system-LLM-credential selector pins an oauth_token by; absent (None) on a freshly-connected/exchanged/disconnected status whose row id is not in hand.

string | null format: uuid
last_refresh_attempt_at

Last successful or failed proactive refresh attempt timestamp.

string | null format: date-time
notified_expiry_at

Set when the keepalive job has emitted a one-shot expiry notification. Cleared by a subsequent successful refresh.

string | null format: date-time
organization_id
string | null format: uuid
provider
required
string
workspace_id
string | null format: uuid
Examplegenerated
{
"account_email": "example",
"connected": true,
"consecutive_refresh_failures": 1,
"expires_at": "2026-04-15T12:00:00Z",
"id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"last_refresh_attempt_at": "2026-04-15T12:00:00Z",
"notified_expiry_at": "2026-04-15T12:00:00Z",
"organization_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
"provider": "example",
"workspace_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
}

Structured client error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Authentication required

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Permission denied

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}