For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Create tokenDev Discord
  • Get started
    • Introduction
    • Authentication
    • API Privacy
    • Exceptions
    • Dev Discord
      • Creating an application
      • Authorizing an application
      • Use application's access tokens
      • OAuth2 quirks
  • Modules
  • Changelog
    • v3.7.2 - OAuth2
    • v3.7.1
    • v3.7
    • v3.6 - Fruma Expansion
    • v3.5.2
    • v3.5.1
    • v3.5 - User System
    • v3.4
    • v3.3.4
    • v3.3.3
    • v3.3.2
    • v3.3.1
    • v3.3 - Rekindled World
    • v3.2.5
    • v3.2.4
    • v3.2.3
    • v3.2.2
    • v3.2.1
    • v3.2
    • v3.1
    • v3.0
LogoLogoWynncraft API - Documentation
Create tokenDev Discord
On this page
  • User type
  • Rate limits
  • Inspecting the token context
  • Access rules
Get startedOAuth2

Use application's access tokens

Send OAuth2 access tokens with Wynncraft API requests
Was this page helpful?
Edit this page
Previous

Authorizing an application

Next

OAuth2 quirks

Built with

OAuth2 access tokens are sent with the standard bearer token header:

1Authorization: Bearer <access_token>

Use the access token returned by POST /oauth/token to make authenticated requests on behalf of the authorized user.

User type

OAuth2-authenticated requests return UserType: OAUTH.

Rate limits

OAuth2 requests count as authenticated requests and use the authenticated rate limits documented on Introduction.

Rate limits apply per application user.

All tokens generated for the same user and the same OAuth2 application share the same rate-limit counters.

Inspecting the token context

Use GET /oauth/me to inspect:

  • the authenticated application
  • the granted scopes
  • the linked player profiles available to the token

Access rules

OAuth2 applications can only bypass access rules when the user granted permission for that behavior.

That bypass only applies to the authorizing user’s own linked profiles. It does not bypass access rules for unrelated players.