docs.do.dev
API Reference

Learn how to authenticate with the do.dev APIs.

API Keys

API keys are the primary authentication method for the do.dev APIs.

Creating an API Key

  1. Navigate to SettingsAPI Keys
  2. Click Create New Key
  3. Give your key a name
  4. Copy the key securely

API keys are shown only once. Store them securely.

Using API Keys

Include your API key in the Authorization header:

curl https://api.do.dev/v1/users/me \
  -H "Authorization: Bearer sk_live_xxxxx"

Key Types

TypePrefixUsage
Livesk_live_Production
Testsk_test_Development/Testing

OAuth 2.0

For user-facing applications, use OAuth 2.0:

Authorization Code Flow

  1. Redirect user to authorization URL
  2. User grants permission
  3. Receive authorization code
  4. Exchange code for access token
// Step 1: Build authorization URL
const authUrl = new URL('https://do.dev/oauth/authorize');
authUrl.searchParams.set('client_id', 'YOUR_CLIENT_ID');
authUrl.searchParams.set('redirect_uri', 'https://your-app.com/callback');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'read write');

// Step 2: After user authorizes, exchange code
const response = await fetch('https://api.do.dev/oauth/token', {
  method: 'POST',
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: 'AUTH_CODE',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
    redirect_uri: 'https://your-app.com/callback',
  }),
});

const { access_token, refresh_token } = await response.json();

Scopes

Available permission scopes:

ScopeDescription
readRead-only access
writeRead and write access
billing:readView billing info
billing:writeManage billing

Token Management

Refresh Tokens

const response = await fetch('https://api.do.dev/oauth/token', {
  method: 'POST',
  body: JSON.stringify({
    grant_type: 'refresh_token',
    refresh_token: 'REFRESH_TOKEN',
    client_id: 'YOUR_CLIENT_ID',
    client_secret: 'YOUR_CLIENT_SECRET',
  }),
});

Revoking Tokens

await fetch('https://api.do.dev/oauth/revoke', {
  method: 'POST',
  body: JSON.stringify({
    token: 'ACCESS_TOKEN',
  }),
});

Security Best Practices

  1. Never expose keys in client code
  2. Use environment variables
  3. Rotate keys regularly
  4. Use minimum required scopes
  5. Monitor API usage

API Reference Overview

do.dev API documentation

Billing API

API endpoints for billing and subscriptions

On this page

API KeysCreating an API KeyUsing API KeysKey TypesOAuth 2.0Authorization Code FlowScopesToken ManagementRefresh TokensRevoking TokensSecurity Best Practices