Velora Developers

Overview

Velora supports two OAuth 2.0 flows:

•
Authorization Code with PKCE - For user authorization in web and mobile apps
•
Client Credentials - For server-to-server requests (app-only access)

OAuth Endpoints

Authorization URL (User Consent Page)https://velora.tv/oauth/authorize

Token URL (API Endpoint)https://api.velora.tv/api/developer/oauth/token

Scopes Referencehttps://api.velora.tv/api/developer/oauth/scopes

Authorization Code Flow with PKCE

This flow is recommended for web and mobile applications where you need to act on behalf of a user.

1Generate PKCE Code Verifier

Generate a cryptographically random code verifier (43-128 characters):

// JavaScript example
function generateCodeVerifier() {
  const array = new Uint8Array(32);
  crypto.getRandomValues(array);
  return base64URLEncode(array);
}

function base64URLEncode(buffer) {
  return btoa(String.fromCharCode(...buffer))
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');
}

2Generate Code Challenge

Create a SHA-256 hash of the code verifier:

async function generateCodeChallenge(verifier) {
  const encoder = new TextEncoder();
  const data = encoder.encode(verifier);
  const hash = await crypto.subtle.digest('SHA-256', data);
  return base64URLEncode(new Uint8Array(hash));
}

3Redirect to Authorization URL

Redirect the user to the authorization page:

https://velora.tv/oauth/authorize?
  client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=user:read stream:read
  &state=RANDOM_STATE_VALUE
  &code_challenge=YOUR_CODE_CHALLENGE
  &code_challenge_method=S256

4Exchange Code for Token

After the user authorizes, exchange the code for an access token:

curl -X POST https://api.velora.tv/api/developer/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "code": "AUTHORIZATION_CODE",
    "redirect_uri": "https://yourapp.com/callback",
    "code_verifier": "YOUR_CODE_VERIFIER"
  }'

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "user:read stream:read"
}

Refreshing Tokens

Access tokens expire after 1 hour. Use the refresh token to get a new access token:

curl -X POST https://api.velora.tv/api/developer/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "refresh_token": "YOUR_REFRESH_TOKEN"
  }'

Available Scopes

Scopes control what actions your application can perform. Here are the most commonly used scopes:

Scope	Description
`user:read`	Read user profile information
`user:write`	Update user profile
`stream:read`	Read stream information
`stream:write`	Update stream settings
`stream:key`	Access stream key and ingest URLs
`chat:read`	Read chat messages
`chat:write`	Send chat messages
`chat:moderate`	Moderate chat (timeout, ban, delete)

View all 16 available scopes →

Using Access Tokens

Include the access token in the Authorization header:

curl https://api.velora.tv/api/users/me \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Next Steps

OAuth Scopes →

View all available permission scopes

Webhooks →

Receive real-time event notifications

API Reference →

Explore all available endpoints

Authentication