RevCent OAuth

Overview and details on RevCent OAuth access.

RevCent offers OAuth 2.0 for external access to your RevCent account via the API. This is useful for third parties, especially AI via the RevCent MCP. Some third parties prefer not to save API Keys and instead use OAuth to access the RevCent API.

Note: If you are viewing this page in order to connect your AI tool to the RevCent MCP, visit the RevCent MCP page for connection instructions.

Why OAuth

OAuth 2.0 is a standard for accessing protected resources programmatically. It allows you to grant external access to your RevCent account without the need to use a static API key.

How It Works

OAuth is a multi step process, requiring endpoints, credentials and ultimately granting access.

  1. Create an OAuth Client in RevCent by going to https://revcent.com/user/oauth-clients and clicking the Create OAuth Client button.
  2. Copy the OAuth client ID and secret.
  3. Use the client ID and secret when configuring the third party.
  4. During the OAuth flow, grant access to the third party.

OAuth Endpoints

The following are the RevCent OAuth endpoints. Third parties accessing RevCent via OAuth typically discover these URLs automatically, so you generally will not need to enter them manually when configuring an integration.

  • Authorization URL: https://revcent.com/oauth/authorize
  • Token URL: https://revcent.com/oauth/token

OAuth Client

An OAuth client is the starting point for granting remote access to the API and generating access tokens. Every access token generated must have an associated OAuth Client in RevCent. An OAuth client is necessary for issuing tokens and granting access.

View OAuth Clients

View all of your OAuth clients by visiting https://revcent.com/user/oauth-clients

Create an OAuth Client

Create a new OAuth client by clicking the Create New OAuth Client button when viewing all OAuth clients, or go to https://revcent.com/user/new-oauth-client

Edit an OAuth Client

Edit a specific OAuth client by clicking the edit button when viewing all OAuth clients. View all current access tokens specific to the OAuth client by clicking the Access Tokens tab.

The Auth Details tab contains the following values for configuring a third party to access your RevCent account:

  • Authorization URL
  • Token URL
  • Client ID
  • Client Secret

OAuth Access Token

OAuth access tokens are normally created automatically during the OAuth flow when a third party uses your OAuth client credentials. You should typically not need to manually generate an access token. The manual option below is provided only for integrations that explicitly require a standalone bearer token and cannot complete the OAuth flow.

View Access Tokens

View your access tokens and their associated OAuth clients by visiting https://revcent.com/user/oauth-access-tokens. You can view the access token as well as delete an access token.

Create an Access Token

Only manually create an access token when an integration explicitly requires a bearer token instead of completing the OAuth flow with a client ID and secret. To create one, edit the OAuth client, open the Access Tokens tab, then click Create Access Token.

Using an Access Token

When using an access token, requests should use the “Authorization” header and Bearer.

Example: "Authorization": "Bearer YourAccessToken"

Best Practices

Important: When a third-party application accesses your RevCent account, it can conduct over 250 operations, some of which have serious consequences. Enable only the permissions that the third party needs through its OAuth client.

Principle Of Least Privilege

We recommend using the principle of least privilege (PoLP) when creating OAuth clients for third-party integrations. An OAuth client should only be allowed to perform the actions its integration needs, which limits the impact of a configuration error, compromised credential, or unintended third-party behavior.

Specific OAuth Clients

Create a separate OAuth client for each third-party integration or use case. You can create as many OAuth clients as you need.

  • An OAuth client specifically for a customer support or help desk integration.
  • An OAuth client specifically for a reporting or analytics integration.
  • An OAuth client specifically for a custom application or automation.

Specific Permissions

When editing an OAuth client, open the Permissions tab and enable only the permissions required by that integration.

  • A reporting or analytics OAuth client should only have reporting and data-retrieval permissions; it should not be able to refund, edit, or delete records.
  • A customer support OAuth client should only have the customer, subscription, and transaction permissions required for its support workflow.
  • A custom application or automation OAuth client should have only the permissions required for its specific function.