Skip to main content
Sessionboard supports OAuth 2.1 with PKCE for authenticating AI assistants (Claude, ChatGPT, and other MCP-compatible clients). This enables users to authorize AI tools to query their event data through a secure, permission-based flow.

How It Works

1. AI client redirects user to Sessionboard consent page
2. User logs in, selects organization, approves requested scopes
3. Sessionboard redirects back with an authorization code
4. AI client exchanges the code for access + refresh tokens
5. AI client uses the access token for MCP queries

Endpoints

All OAuth endpoints are on public-api.sessionboard.com (US) or public-api-eu.sessionboard.com (EU).
EndpointMethodDescription
/oauth/authorizeGETValidate authorization request parameters
/oauth/authorize/consentPOSTUser approves — generates authorization code
/oauth/eligible-orgsGETList orgs where user has AI Access permission
/oauth/tokenPOSTExchange code for tokens, refresh tokens
/oauth/revokePOSTRevoke access or refresh tokens
/oauth/.well-known/oauth-authorization-serverGETRFC 8414 server metadata

Authorization Request

Redirect the user to the authorization endpoint with these parameters: 
GET /oauth/authorize?
  client_id=your-client-id&
  redirect_uri=https://your-app.com/callback&
  response_type=code&
  scope=read:events+read:sessions+read:contacts&
  code_challenge=<S256_HASH>&
  code_challenge_method=S256&
  state=<random_state>
ParameterRequiredDescription
client_idYesYour registered OAuth client ID
redirect_uriYesMust match a registered redirect URI
response_typeYesMust be code
scopeNoSpace-separated scopes (defaults to client’s registered scopes)
code_challengeYesPKCE challenge (S256 method)
code_challenge_methodYesMust be S256
stateRecommendedOpaque value for CSRF protection

Token Exchange

Exchange the authorization code for tokens: 
curl -X POST https://public-api.sessionboard.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTHORIZATION_CODE",
    "redirect_uri": "https://your-app.com/callback",
    "client_id": "your-client-id",
    "code_verifier": "YOUR_PKCE_VERIFIER"
  }'
Response: 
{
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "...",
  "scope": "read:events read:sessions read:contacts"
}

Refresh Tokens

Access tokens expire after 1 hour. Use the refresh token to get a new one: 
curl -X POST https://public-api.sessionboard.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "YOUR_REFRESH_TOKEN",
    "client_id": "your-client-id"
  }'
Refresh tokens expire after 7 days and are rotated on each use (the old token is revoked).

Using the Token

Include the access token as a Bearer token on API requests: 
curl https://public-api.sessionboard.com/v1/events \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Bearer tokens work on all /v1/ endpoints alongside the existing x-access-token header authentication.

Token Revocation

Revoke a token when the user disconnects: 
curl -X POST https://public-api.sessionboard.com/oauth/revoke \
  -H "Content-Type: application/json" \
  -d '{
    "token": "TOKEN_TO_REVOKE",
    "token_type_hint": "access_token"
  }'

Available Scopes

ScopeDescription
read:eventsView events and event details
read:sessionsView session data including titles, times, tracks, and statuses
read:contactsView contact, participant, exhibitor, and sponsor information
read:reportsView and run saved custom reports
read:dashboardsView dashboards and widget data
read:insightsQuery data using natural language and SbQL
OAuth tokens currently support read-only scopes. For write operations (creating sessions, updating contacts, managing agendas), use API tokens with the appropriate write:* scopes.

Permission Model

OAuth tokens inherit the authorizing user’s permissions:
  • Organization admin with AI Access → token can query all events in the org
  • Event-only user with AI Access → token scoped to their permitted events
  • AI Access revoked → token stops working immediately (checked on every request)
  • AI features disabled for org → all OAuth tokens for that org are blocked
The “AI Access” permission (under Data & Insights) controls who can authorize OAuth connections. It is enabled by default for Admin roles.

Server Metadata

Discover OAuth server capabilities at: 
GET /oauth/.well-known/oauth-authorization-server
Returns supported response types, grant types, scopes, and endpoint URLs per RFC 8414.