Spotless

access not integrations

Open authorization server metadata

Instant OAuth access to services without registering apps. Spotless handles authorization via pre registered apps and hands back a token for use directly with the service API.

Get started

Device Login

Use for browserless clients i.e. SSH sessions, CI and agents, even if the service does not support browserless login.

  1. Start the device flow for a service, i.e. dnsimple.

    curl -s -X POST https://spotless.run/device/dnsimple \
      --data-urlencode 'client_id=http://localhost'
    
  2. Open the verification URL in any browser and enter the user_code.

  3. Poll the token endpoint with the device_code

    curl -s -X POST https://spotless.run/token \
      --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:device_code' \
      --data-urlencode 'device_code=THE_DEVICE_CODE'
    

You don't need to use bash. Full specification in RFC 8628

Browser Login

Use for web apps running on localhost.

  1. GET /authorize/{service}: start the authorization code flow.

  2. Handle the redirect to your app on localhost.

  3. POST /token: exchange the spotless code for the service access token.

Full specification in OAuth v2.1

Who is it for

Is it secure

It's probably better than pasting API tokens into company chat.

Why now

Agents are only valuable when they can safely use real tools. The slow part is not writing the script; it is OAuth app setup, browserless login etc. Spotless pays that integration cost once spotless is free to use for local development for services that allow free integrations.

guides