Artemis implements OAuth 2.0 for delegated API access. This page walks through every step of the OAuth2 lifecycle from a client perspective: registering an application, sending users through the authorization flow, exchanging the authorization code for access and refresh tokens, keeping tokens fresh, and revoking them when they are no longer needed. Script and personal-use app flows using the password grant are also covered. For a high-level comparison of the available flows, see the authentication overview.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/artemis-development-group/artemis/llms.txt
Use this file to discover all available pages before exploring further.
Registering your application
All OAuth2 clients must be registered at/prefs/apps before they can request tokens.
| Field | Description |
|---|---|
| Name | Display name shown to users during the authorization prompt. |
| App type | web app (confidential, server-side), installed app (non-confidential, distributed), or script (personal use / bots). |
| Description | Optional. Displayed to users on the authorization screen. |
| Redirect URI | The URI Artemis redirects users to after they approve or deny access. Must exactly match the redirect_uri you send in every authorization request. |
OAuth2 scopes
Scopes define what parts of the API an access token is permitted to use. You request scopes as a space-separated string during authorization.| Scope | Name | What it grants |
|---|---|---|
identity | My Identity | Read the authenticated user’s username and signup date. |
account | Update account information | Update preferences and account information (not email or password). |
read | Read Content | Access posts and comments through the user’s account. |
submit | Submit Content | Submit links and comments from the user’s account. |
edit | Edit Posts | Edit and delete the user’s comments and submissions. |
vote | Vote | Submit and change votes on comments and submissions. |
save | Save Content | Save and unsave comments and submissions. |
history | History | Access voting history, saved, and hidden content. |
report | Report content | Report content for rules violations. Hide and show individual submissions. |
subscribe | Edit My Subscriptions | Manage branch subscriptions and the friends list. |
mybranches | My Branches | Access the list of branches the user moderates, contributes to, and subscribes to. |
flair | Manage My Flair | Select branch flair and change link flair on submissions. |
privatemessages | Private Messages | Access the inbox and send private messages. |
cbranches | Spend artemis gold cbranches | Spend gold cbranches to give gold to other users. |
modconfig | Moderate Branch Configuration | Manage configuration, sidebar, and CSS of moderated branches. |
modcontributors | Approve submitters and ban users | Add or remove approved submitters; ban, unban, mute, and unmute users. |
modflair | Moderate Flair | Manage and assign flair in moderated branches. |
modlog | Moderation Log | Access the moderation log in moderated branches. |
modothers | Invite or remove other moderators | Invite or remove moderators from moderated branches. |
modposts | Moderate Posts | Approve, remove, mark NSFW, and distinguish content in moderated branches. |
modself | Moderator and contributor status | Accept moderator invitations; remove self as moderator or contributor. |
modtraffic | Branch Traffic | Access traffic stats in moderated branches. |
modwiki | Moderate Wiki | Change wiki page editors and visibility in moderated branches. |
wikiedit | Wiki Editing | Edit wiki pages on the user’s behalf. |
wikiread | Read Wiki Pages | Read wiki pages through the user’s account. |
Script apps (password grant) receive the
* full-access scope by default if no explicit scope is requested.scopes query parameter to filter the response to specific scopes.
Authorization code flow
Use this flow for web and installed applications that act on behalf of other Artemis users.Redirect the user to /api/v1/authorize
Send the user’s browser to the authorization endpoint with the following query parameters:Artemis displays an authorization page where the user can approve or deny your request.
Your application’s client ID from
/prefs/apps.Must be
code for the authorization code flow, or token for the implicit flow (non-confidential installed apps only; does not issue refresh tokens).An opaque value you generate to maintain state between the request and callback. Artemis returns this value unchanged in the redirect. Use it to prevent CSRF attacks.
Must exactly match the redirect URI registered for your application.
Space-separated list of scopes to request. See the scope table above.
temporary for a short-lived access token only. permanent to also receive a refresh token that can be used to obtain new access tokens without re-authorization.Handle the redirect callback
If the user approves, Artemis redirects to your
redirect_uri with the following query parameters appended:code— a short-lived, single-use authorization code.state— the exact value you passed in step 1.
state matches the value you originally sent, then proceed to exchange the code.If the user denies the request, the redirect instead contains error=access_denied and the state value.Exchange the code for tokens
Make a server-side A successful response:
POST request to /api/v1/access_token. The request must use HTTP Basic authentication with your client ID as the username and client secret as the password.Must be
authorization_code.The authorization code received in the redirect callback.
Must exactly match the
redirect_uri used in the authorization request.refresh_token is only present when duration=permanent was requested.Token response fields
The bearer token to include in API requests.
Always
bearer.Seconds until the access token expires. Typically 3600 (one hour).
Space-separated list of scopes granted to this token.
Present only on permanent grants. Use this to obtain new access tokens without re-authorization.
Refreshing an access token
When an access token expires, use the refresh token to obtain a new one without sending the user through the authorization flow again.Must be
refresh_token.The refresh token returned during the initial token exchange.
access_token and expires_in. The refresh token itself remains valid and can be reused for subsequent refreshes.
Revoking tokens
Revoke an access or refresh token when the user disconnects your application or when you no longer need the token. Revoking a refresh token does not automatically revoke existing access tokens derived from it.The token string to revoke (access token or refresh token).
Optional hint to help the server locate the token faster. One of
access_token or refresh_token.204 No Content with an empty body. The endpoint also returns 204 if the token does not exist or has already been revoked — the outcome (the token is no longer valid) is the same either way.
Script / personal-use apps (password grant)
If your app type is script and you are authenticating as one of the app’s registered developers, you can exchange credentials directly for a token without any browser redirect.Must be
password.Your Artemis username.
Your Artemis password.
Space-separated list of scopes. If omitted, the token receives full access (
*).Using bearer tokens in API requests
Include the access token in theAuthorization header on every authenticated API call:
- curl
- Python
- JavaScript
403 Forbidden response means the token is valid but lacks the scope required by the endpoint. Request a new token with the necessary scopes.
Endpoint reference
| Endpoint | Method | Description |
|---|---|---|
/api/v1/authorize | GET | Display the authorization consent page to the user. |
/api/v1/access_token | POST | Exchange an authorization code, refresh token, or credentials for an access token. |
/api/v1/revoke_token | POST | Revoke an access or refresh token. |
/api/v1/scopes | GET | List available OAuth2 scopes and their descriptions. |