When to Use OAuth
Both authentication methods use the same underlying API, but they serve different purposes. Pick the one that matches your use case.| Use Case | Method |
|---|---|
| Search job listings on your platform | App Key |
| Display company profiles in your app | App Key |
| Browse public networking events | App Key |
| Access a signed-in user’s Rocketpunch profile | OAuth 2.0 |
| Read a user’s saved jobs or preferences | OAuth 2.0 |
| Act on behalf of a user within Rocketpunch | OAuth 2.0 |
X-RP-API-Key header on every request, and the response reflects publicly available platform data.
OAuth 2.0 is the right choice when your application needs a Rocketpunch user to grant you permission to read or interact with their personal data. The user logs in to Rocketpunch, reviews what your app is requesting, and approves access. You receive a token scoped to that user, which you then use for subsequent API calls.
If you only need public data — job listings, company profiles, or events — you do not need OAuth. Set up App Key authentication instead and skip the OAuth flow entirely.
OAuth 2.0 Authorization Code Flow
Rocketpunch implements the OAuth 2.0 Authorization Code Flow, the industry-standard approach for web and server-side applications. Here is a high-level overview of the steps:- Redirect — Your app redirects the user to Rocketpunch’s authorization endpoint, including your
client_id, requested scopes, and aredirect_uriwhere Rocketpunch will send the user back after consent. - Consent — The user sees Rocketpunch’s login and permission screen. If they approve, Rocketpunch redirects them to your
redirect_uriwith a short-livedcodeparameter. - Token exchange — Your server sends a POST request to Rocketpunch’s token endpoint, exchanging the
codefor anaccess_token(and optionally arefresh_token). - API calls — Your app includes the
access_tokenin theAuthorization: Bearerheader for any user-specific API requests.
Setting Up OAuth
Before you can implement the flow, you need to register your application on the Rocketpunch developer portal.Create your app
Go to developers.rocketpunch.com/apps/new and fill in your application name and description. These details are shown to users on the consent screen.
Add your redirect URI
Enter the callback URL where Rocketpunch will redirect users after they grant (or deny) consent. This must exactly match the
redirect_uri you use in your authorization requests — including protocol, domain, and path.Scopes
Scopes define exactly what user data your application can access. When you redirect a user to the authorization endpoint, you include ascope parameter listing the permissions you need. The user sees these permissions on the consent screen before approving.
Request only the scopes your app genuinely needs — asking for unnecessary permissions reduces user trust and lowers approval rates. Available scopes are listed in the Auth Flow guide.
Next Steps
Now that you understand when and why to use OAuth, implement the full authorization flow in your application.Implement the Auth Flow
Step-by-step guide to building the authorization code flow, including redirect URLs, token exchange, and making authenticated API calls.