Sketchfab

Sketchfab OAuth 2.0 API

OAuth 2.0 authorization server for the Sketchfab platform. Supports Authorization Code, Implicit, and Resource Owner Password Credentials grant types plus refresh-token rotation. Authorize endpoint at /oauth2/authorize/ and token endpoint at /oauth2/token/. Access tokens expire after one month.

Sketchfab OAuth 2.0 API is one of 5 APIs that Sketchfab publishes on the APIs.io network, described by a machine-readable OpenAPI specification.

Tagged areas include OAuth, Authentication, and Authorization. The published artifact set on APIs.io includes API documentation and an OpenAPI specification.

GitHub OpenAPI

Documentation

📖
Documentation
https://sketchfab.com/developers/oauth

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/sketchfab/refs/heads/main/openapi/sketchfab-oauth-api-openapi.yml

OpenAPI Specification

sketchfab-oauth-api-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Sketchfab OAuth 2.0 API
  description: >
    Sketchfab OAuth 2.0 authorization server. Supports the Authorization Code,
    Implicit, and Resource Owner Password Credentials grant types plus refresh
    token rotation. Access tokens are valid for one month; the Implicit flow
    does not issue refresh tokens.
  version: '2.0'
  contact:
    name: Sketchfab Developer Support
    url: https://support.fab.com/s/?ProductOrigin=Sketchfab
  license:
    name: Sketchfab Developer Terms of Use
    url: https://sketchfab.com/developers/terms
servers:
  - url: https://sketchfab.com
    description: Production
tags:
  - name: OAuth
    description: OAuth 2.0 authorization and token endpoints.
paths:
  /oauth2/authorize/:
    get:
      summary: OAuth Authorize Endpoint
      description: Initiate the Authorization Code or Implicit flow. The end user is presented with the Sketchfab consent screen and on approval the browser is redirected back to the registered redirect_uri with either a `code` query parameter or an `access_token` URL fragment.
      operationId: oauthAuthorize
      tags:
        - OAuth
      parameters:
        - name: response_type
          in: query
          required: true
          description: '`code` (Authorization Code) or `token` (Implicit).'
          schema:
            type: string
            enum:
              - code
              - token
        - name: client_id
          in: query
          required: true
          schema:
            type: string
        - name: redirect_uri
          in: query
          required: false
          description: Redirect URI registered with the OAuth application.
          schema:
            type: string
            format: uri
        - name: state
          in: query
          description: Recommended CSRF / replay protection nonce.
          schema:
            type: string
        - name: approval_prompt
          in: query
          description: Set to `force` to always re-prompt the user for consent.
          schema:
            type: string
      responses:
        '302':
          description: Redirect to the application's redirect_uri carrying `code` or `access_token`.
  /oauth2/token/:
    post:
      summary: OAuth Token Endpoint
      description: Exchange an authorization code for tokens, refresh an access token, or perform a password grant. Requires Content-Type `application/x-www-form-urlencoded`.
      operationId: oauthToken
      tags:
        - OAuth
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
                - client_id
                - client_secret
              properties:
                grant_type:
                  type: string
                  enum:
                    - authorization_code
                    - refresh_token
                    - password
                client_id:
                  type: string
                client_secret:
                  type: string
                code:
                  type: string
                  description: Authorization code (authorization_code grant).
                redirect_uri:
                  type: string
                  format: uri
                refresh_token:
                  type: string
                  description: Refresh token (refresh_token grant).
                username:
                  type: string
                  description: Sketchfab username (password grant).
                password:
                  type: string
                  description: Sketchfab password (password grant).
      responses:
        '200':
          description: Token response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          description: Invalid request or grant.
components:
  schemas:
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
        token_type:
          type: string
          example: Bearer
        expires_in:
          type: integer
          description: Lifetime of the access token in seconds (typically 30 days).
        refresh_token:
          type: string
          description: Issued for Authorization Code and Password grants only.
        scope:
          type: string