Skip to main content
The Rocketpunch API supports two authentication models: App Key authentication for server-side access to public platform data, and OAuth 2.0 for accessing data on behalf of a specific Rocketpunch user. Choose the right model based on what your application needs to do — most integrations start with App Key auth and add OAuth only when user-specific features are required.

When to Use OAuth

Both authentication methods use the same underlying API, but they serve different purposes. Pick the one that matches your use case.
Use CaseMethod
Search job listings on your platformApp Key
Display company profiles in your appApp Key
Browse public networking eventsApp Key
Access a signed-in user’s Rocketpunch profileOAuth 2.0
Read a user’s saved jobs or preferencesOAuth 2.0
Act on behalf of a user within RocketpunchOAuth 2.0
App Key authentication is the right choice when your server makes calls to public Rocketpunch data — jobs, companies, and events — without needing to identify or act as a specific user. You include your X-RP-API-Key header on every request, and the response reflects publicly available platform data. OAuth 2.0 is the right choice when your application needs a Rocketpunch user to grant you permission to read or interact with their personal data. The user logs in to Rocketpunch, reviews what your app is requesting, and approves access. You receive a token scoped to that user, which you then use for subsequent API calls.
If you only need public data — job listings, company profiles, or events — you do not need OAuth. Set up App Key authentication instead and skip the OAuth flow entirely.

OAuth 2.0 Authorization Code Flow

Rocketpunch implements the OAuth 2.0 Authorization Code Flow, the industry-standard approach for web and server-side applications. Here is a high-level overview of the steps:
  1. Redirect — Your app redirects the user to Rocketpunch’s authorization endpoint, including your client_id, requested scopes, and a redirect_uri where Rocketpunch will send the user back after consent.
  2. Consent — The user sees Rocketpunch’s login and permission screen. If they approve, Rocketpunch redirects them to your redirect_uri with a short-lived code parameter.
  3. Token exchange — Your server sends a POST request to Rocketpunch’s token endpoint, exchanging the code for an access_token (and optionally a refresh_token).
  4. API calls — Your app includes the access_token in the Authorization: Bearer header for any user-specific API requests.
See the Auth Flow guide for the complete implementation with code examples.

Setting Up OAuth

Before you can implement the flow, you need to register your application on the Rocketpunch developer portal.
1

Create your app

Go to developers.rocketpunch.com/apps/new and fill in your application name and description. These details are shown to users on the consent screen.
2

Add your redirect URI

Enter the callback URL where Rocketpunch will redirect users after they grant (or deny) consent. This must exactly match the redirect_uri you use in your authorization requests — including protocol, domain, and path.
https://yourapp.com/auth/rocketpunch/callback
3

Copy your credentials

After saving your app, the portal displays your Client ID and Client Secret. Store the Client Secret securely — treat it like a password. You will need both values when implementing the token exchange step.
Your Client Secret must never appear in client-side code, mobile app binaries, or public repositories. Token exchange must always happen on your server.

Scopes

Scopes define exactly what user data your application can access. When you redirect a user to the authorization endpoint, you include a scope parameter listing the permissions you need. The user sees these permissions on the consent screen before approving. Request only the scopes your app genuinely needs — asking for unnecessary permissions reduces user trust and lowers approval rates. Available scopes are listed in the Auth Flow guide.

Next Steps

Now that you understand when and why to use OAuth, implement the full authorization flow in your application.

Implement the Auth Flow

Step-by-step guide to building the authorization code flow, including redirect URLs, token exchange, and making authenticated API calls.