OAuth & Developer Apps
Build integrations that work across multiple EsperWorks businesses. Developer accounts let you create OAuth apps that any business can authorise; no shared API keys needed.
1. Create a developer account
Register at tryesperworks.com/developer/register or via the API:
curl -X POST https://api.tryesperworks.com/api/v1/auth/register-developer \
-H "Content-Type: application/json" \
-d '{
"name": "Your Name",
"email": "you@example.com",
"password": "yourpassword",
"password_confirmation": "yourpassword"
}'
# Response:
# { "token": "...", "user": { "id": 1, "role": "developer" } }2. Create an OAuth app
From your developer dashboard or via API using your developer token:
curl -X POST https://api.tryesperworks.com/api/v1/developer/apps \
-H "Authorization: Bearer <developer_token>" \
-H "Content-Type: application/json" \
-d '{
"name": "My Integration",
"description": "Syncs invoices with my platform",
"redirect_uri": "https://myapp.com/oauth/callback"
}'
# Response:
# {
# "app": { "client_id": "ew_app_xxxx", ... },
# "client_secret": "ew_secret_xxxx" ← shown only once
# }Save the client_secret immediately; it is shown only once. You can rotate it later from the dashboard.
3. Redirect the user to authorise
Send the business owner to the EsperWorks authorisation page. They log in and approve the scopes your app requests. Always include a state parameter to prevent CSRF attacks.
# Redirect the business owner to this URL in their browser: https://tryesperworks.com/oauth/authorize ?client_id=ew_app_xxxx &redirect_uri=https://myapp.com/oauth/callback &scope=invoices:read+clients:read &state=random_csrf_token
4. Exchange the code for an access token
After approval, EsperWorks redirects to your redirect_uri with a ?code= query param. Exchange it for an access token server-side:
curl -X POST https://api.tryesperworks.com/api/v1/oauth/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "ew_app_xxxx",
"client_secret": "ew_secret_xxxx",
"code": "<code_from_callback>",
"redirect_uri": "https://myapp.com/oauth/callback"
}'
# Response:
# { "access_token": "...", "token_type": "Bearer", "business_id": 42 }5. Make API calls on behalf of the business
Use the access token as a Bearer token. All requests are automatically scoped to the business that authorised your app.
curl https://api.tryesperworks.com/api/v1/invoices \ -H "Authorization: Bearer <access_token>"
Revoking access
Business owners can revoke access at any time from their dashboard under Connected Apps. You can also revoke programmatically via POST /businesses/{business_id}/oauth/revoke.