Expensicat

Authentication

Authenticate with the Expensicat API using Bearer tokens or OAuth2

The Expensicat API supports two authentication methods: Bearer tokens for direct access and OAuth2 for third-party integrations.

Bearer token

Include your token in the Authorization header:

curl -H "Authorization: Bearer YOUR_TOKEN" \
  https://api.expensicat.com/api/v1/transactions

Bearer tokens can be session JWTs or OAuth2 access tokens.

OAuth2 (Authorization Code + PKCE)

For third-party applications, use the OAuth2 authorization code flow with PKCE.

1. Redirect to authorize

GET /api/auth/oauth2/authorize
ParameterDescription
client_idYour application's client ID
redirect_uriYour registered callback URL
response_typeMust be code
scopeSpace-separated list of scopes
code_challengePKCE code challenge (S256)
code_challenge_methodMust be S256
stateRandom string to prevent CSRF

2. Exchange code for token

POST /api/auth/oauth2/token
{
  "grant_type": "authorization_code",
  "code": "AUTH_CODE",
  "redirect_uri": "https://yourapp.com/callback",
  "client_id": "YOUR_CLIENT_ID",
  "code_verifier": "PKCE_CODE_VERIFIER"
}

The response includes an access_token and refresh_token.

3. Use the access token

curl -H "Authorization: Bearer ACCESS_TOKEN" \
  https://api.expensicat.com/api/v1/transactions

Scopes

Request only the scopes your application needs:

ScopeDescription
transactions:readRead transactions
transactions:writeCreate and update transactions
entries:readRead entries, projects, time entries
entries:writeCreate and update entries, projects, time entries
invoices:readRead invoices, customers, recurring invoices
invoices:writeCreate and update invoices, customers, recurring invoices
banking:readRead bank accounts
banking:writeManage bank account connections
documents:readRead documents
documents:writeUpload and manage documents
team:readRead team members, organization settings, integrations
team:adminManage team members, organization settings, integrations
analytics:readRead financial metrics and reports

On this page