Skip to main content

Onboarding

Getting Started

Base URL

All API requests should be made to this base URL followed by the specific endpoint path.

https://api.qoyod.com/v2

Authentication

Qoyod's v2 API accepts two authentication methods. Both work on all three endpoints covered in this guide. Use whichever fits your integration architecture.

  • API Key

  • JWT Bearer Token

How To Obtain API Key

  • Log in to your Qoyod account at: https://www.qoyod.com
  • Navigate to Settings → General Settings.
  • Click Generate New Key.
  • Click Save to confirm.

How To Obtain Bearer Token

Request OAuth Access from Your Tenant Admin

info

Qoyod's OAuth feature is not enabled by default. Before you can begin, kindly reach Qoyod support Qoyod Support: [email protected]

Qoyod administrator must:

  1. Enable it for your organization's account.
  2. Will create a new application for your organization, and required scopes for API access.
  3. Share the generated Client ID and Client Secret with you securely.

Contact your Qoyod's administrator to initiate this step. Without an active OAuth application, authorization requests will be rejected.

Security Notice — Protect Your Credentials

You are solely responsible for the confidentiality and secure storage of your OAuth credentials.

CredentialDescriptionRisk if leaked
API KeyPrivate secret used to authenticate your appCritical — allows impersonation of your application
Client ID (client_id)Public identifier of your applicationLow on its own, but enables phishing if combined with other info
Client Secret (client_secret)Private secret used to authenticate your appCritical — allows impersonation of your application
Authorization CodeShort-lived single-use code exchanged for a tokenHigh — must be exchanged immediately and never reused
Access TokenJWT bearer token for API callsCritical — grants full API access within its scopes
Refresh TokenLong-lived token used to renew access tokensCritical — treat with the same care as a password

Required practices:

  • Never embed credentials in client-side code (JavaScript, mobile app binaries, or public repositories).
  • Store secrets in environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault).
  • Transmit all tokens exclusively over HTTPS.
  • Authorization codes are single-use and short-lived — exchange them immediately upon receipt.
  • Refresh tokens must be stored securely and rotated after each use.

In case of credential leakage, contact Qoyod support immediately at [email protected] so the compromised application credentials can be revoked and reissued.