Authentication
OAuth 2.0 client credentials, scopes, and token lifetime.
All Part3 API requests require a bearer token. Tokens are short-lived JWTs
(1 hour) obtained by exchanging a client ID + client secret at the
/v1/oauth/token endpoint.
Client credentials
Create an API key from the Admin Dashboard → Settings → API Keys. Each key has:
- Permissions — bitfield controlling which endpoints the key can call
(
project:read,document:read, etc.) - Scope — the specific organizations and projects this key can access
The client secret is shown only once at creation time. Store it in a secret manager — if lost, delete and re-issue the key.
Token exchange
curl -X POST https://api.part3.io/v1/oauth/token \
-H 'Content-Type: application/json' \
-d '{ "client_id": "...", "client_secret": "..." }'Response:
{
"access_token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 3600
}Include the token on every request:
curl https://api.part3.io/v1/... \
-H 'Authorization: Bearer eyJhbGci...'Token lifetime
| Token type | TTL | Refresh |
|---|---|---|
| Client access token | 1 hour | Re-exchange credentials |
| MCP OAuth access token | 24 hours | Automatic refresh via MCP client |
| MCP OAuth refresh token | 90 days | Automatic |
Client applications should cache access tokens until they're within ~60s of expiry, then re-exchange. The MCP server handles this for you transparently.
Endpoints
| Surface | Base URL |
|---|---|
| REST API | https://api.part3.io |
| MCP | https://mcp.part3.io |