Mokapen API Documentation

Overview Getting Started Authentication Organizations Scopes & Permissions Rate Limits Error Codes Webhooks API Reference Open Swagger UI

Authentication

All API requests require a Bearer access token. How you obtain the token depends on whether your application is public or private.

Bearer token header

Include the access token on every API request:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
Accept: application/json

Public apps — OAuth 2.0 authorization code

Public apps use the standard OAuth 2.0 authorization code grant.

Authorization request

Redirect the user to the authorization endpoint:

GET https://mokapen.com/oauth/authorize

Query parameters:
  client_id      (required) Your Client ID
  redirect_uri   (required) Must match a registered redirect URL
  response_type  (required) Must be "code"
  scope          (required) Space-separated scopes, e.g. tasks.read tasks.write
  state          (required) Random value (min. 16 chars) to prevent CSRF

During authorization, the user selects the organization to grant access to. The issued access token is bound to that organization.

Authorization request example (PHP)

$params = [
    'client_id'     => 'YOUR_CLIENT_ID',
    'redirect_uri'  => 'https://example.com/oauth/callback',
    'response_type' => 'code',
    'scope'         => 'tasks.read tasks.write',
    'state'         => bin2hex(random_bytes(8)),
];

$url = 'https://mokapen.com/oauth/authorize?' . http_build_query($params);
header('Location: ' . $url);

Exchange authorization code for tokens

After the user approves access, Mokapen redirects to your redirect_uri with a code parameter. Exchange it for tokens:

POST https://mokapen.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&redirect_uri=https://example.com/oauth/callback
&code=AUTHORIZATION_CODE_FROM_CALLBACK

Token response example

{
  "token_type": "Bearer",
  "expires_in": 31536000,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
  "refresh_token": "def50200...",
  "organization_id": 849,
  "organization_name": "Your Organization"
}

The organization_id in the response reflects the organization the user selected during authorization. Use this same ID in API URLs (see Organizations).

Refresh token

When the access token expires, request a new one using the refresh token:

POST https://mokapen.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&refresh_token=YOUR_REFRESH_TOKEN

Private apps — Client credentials

Private apps do not require an OAuth redirect. From the Developer dashboard, open your application, go to Credentials, and click Generate Token.

The token is created using the client_credentials grant and is scoped to your current organization session. Store it securely and never share it publicly.

POST https://mokapen.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&scope=tasks.read tasks.write contacts.read
&organization_id=849

Always pass organization_id when requesting a private app token. The organization ID is stored in the token and enforced on subsequent API calls.

Making your first API request

$url = 'https://mokapen.com/api/v1/849/contacts';
$token = 'YOUR_ACCESS_TOKEN';

$ch = curl_init($url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'Authorization: Bearer ' . $token,
        'Accept: application/json',
    ],
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

Начните работать и экономить время.

или

Забронировать демо

Нужна помощь?