
Settings → Connections → API keys / OAuth apps
Open your organisation’s API keys screen.
Enter a clear key name.
Optionally add a description for later reference.
Optionally set an expiry date in the future.
Choose at least one scope for what the key can access.
Create the key, then copy the secret immediately.
You can only view the full key once.
Open the API keys list for your organisation.
Check each key’s name, scopes, and expiry date.
Look at the last used time, last used IP, and usage count.
Use the key hint to recognise a key without revealing the secret.
Revoke any key you no longer trust or need.
You can keep at most 20 active API keys.
Have a Cashfeed admin create the client in the OAuth admin area.
Give the client a name and optional description.
Add one or more redirect URIs.
Choose the scopes the app may request.
Save the client and store the returned client secret securely.
Use the first redirect URI to build the consent URL when testing.
Redirect URIs must use https, or localhost-style http, or a custom app scheme.
Open the consent URL for the client.
Check the client name and requested permissions carefully.
If needed, narrow access to selected organisations instead of all organisations.
Sign in if Cashfeed asks you to.
Approve the request to receive the redirect back to the app, or deny it to return an access_denied error.
Exchange the authorisation code for tokens using the same redirect URI and PKCE verifier.
If you leave organisation selection empty, access applies to all organisations you belong to, including future ones.
Check that the key name is filled in.
Choose at least one scope.
Use an expiry date in the future, if you set one.
Revoke an existing active key if you already have 20.
Copy the key immediately after creation.
Use the key hint to identify it later.
Create a new key if you closed the secret before saving it.
Use the exact redirect URI registered on the client.
Make sure the URI uses https, or localhost/127.0.0.1/::1 for http.
For desktop apps, use the same custom scheme you registered.
Request only scopes the client was registered with.
Remove any unknown or mistyped scope strings.
For MCP apps, use only supported MCP scopes.
Send the same redirect URI used during authorisation.
Include the PKCE code verifier for an authorisation-code exchange.
Pass the client ID when using a public client without Basic auth.