reference· 2 min read

Third-party API & OAuth integration

OAuth 2.0 API for partners — flight upload, read, and pilot data

What this is

we-fly exposes an OAuth 2.0–compliant REST API so external platforms (flight trackers, coaching tools, mobile apps) can upload IGC flights and read pilot data with explicit user consent.

Four credential flows are available:

Server-to-server (client credentials) — your backend acts on your own we-fly account.
Authorization Code + PKCE — your app acts on behalf of any user who grants consent.
Device code (RFC 8628) — CLIs, varios, and other browser-less devices.
Personal API keys — for your own scripts; can't grant destructive scopes.

All four end up presenting a Bearer token to /api/v1/* endpoints.

Want event push instead of polling? Register a webhook under your application — we'll POST signed payloads to your URL when a flight is uploaded, deleted, or other events you subscribe to.

Where to start

Register an application or API key: /developer.
Full partner documentation: see the docs/api/ folder in our repo:
- README.md — index
- overview.md — concepts
- oauth-server-to-server.md — client credentials
- oauth-user-authorization.md — Authorization Code + PKCE
- oauth-device-code.md — device-code flow for CLIs and varios
- api-keys.md — personal keys
- webhooks.md — event push (HMAC-signed)
- scopes.md — permissions reference
- endpoints.md — endpoint reference
- errors.md — error codes
- rate-limits.md — quotas
- usage-telemetry.md — per-app counters & error rate
- security.md — operational expectations
- openapi.yaml — machine-readable OpenAPI 3.1 spec

Sixty-second example

# Server-to-server token
TOKEN=$(curl -s -X POST https://we-fly.cloud/api/oauth/token \
  -u "wf_app_…:wf_secret_…" \
  -d "grant_type=client_credentials" \
  -d "scope=flights:read" | jq -r .access_token)

# Use it
curl https://we-fly.cloud/api/v1/flights \
  -H "Authorization: Bearer ${TOKEN}"

RFC compliance

RFC 6749 — OAuth 2.0 Authorization Framework
RFC 6750 — Bearer Token Usage
RFC 7009 — Token Revocation
RFC 7636 — PKCE (mandatory for public clients)
RFC 7662 — Token Introspection
RFC 8414 — Authorization Server Metadata (/.well-known/oauth-authorization-server)
RFC 8628 — Device Authorization Grant (/api/oauth/device_authorization)

Token theft detection follows RFC 6819 §5.2.2.3 — refresh token rotation is single-use, and replay revokes the entire token chain for that user+app.

The integration platform shipped in alpha.28. Endpoints under /api/v1/* and /api/oauth/* are part of the public contract; everything else is internal to the dashboard and may change without notice.

For partner support, open an issue on GitHub with the api label.

What this is

we-fly exposes an OAuth 2.0–compliant REST API so external platforms (flight trackers, coaching tools, mobile apps) can upload IGC flights and read pilot data with explicit user consent.

Four credential flows are available:

Server-to-server (client credentials) — your backend acts on your own we-fly account.

Authorization Code + PKCE — your app acts on behalf of any user who grants consent.

Device code (RFC 8628) — CLIs, varios, and other browser-less devices.

Personal API keys — for your own scripts; can't grant destructive scopes.

All four end up presenting a Bearer token to /api/v1/* endpoints.

Want event push instead of polling? Register a webhook under your application — we'll POST signed payloads to your URL when a flight is uploaded, deleted, or other events you subscribe to.

Where to start

Register an application or API key: /developer.

Full partner documentation: see the docs/api/ folder in our repo:

README.md — index
overview.md — concepts
oauth-server-to-server.md — client credentials
oauth-user-authorization.md — Authorization Code + PKCE
oauth-device-code.md — device-code flow for CLIs and varios
api-keys.md — personal keys
webhooks.md — event push (HMAC-signed)
scopes.md — permissions reference
endpoints.md — endpoint reference
errors.md — error codes
rate-limits.md — quotas
usage-telemetry.md — per-app counters & error rate
security.md — operational expectations
openapi.yaml — machine-readable OpenAPI 3.1 spec

Sixty-second example

# Server-to-server token TOKEN=$(curl -s -X POST https://we-fly.cloud/api/oauth/token \ -u "wf_app_…:wf_secret_…" \ -d "grant_type=client_credentials" \ -d "scope=flights:read" | jq -r .access_token) # Use it curl https://we-fly.cloud/api/v1/flights \ -H "Authorization: Bearer ${TOKEN}"

RFC compliance

RFC 6749 — OAuth 2.0 Authorization Framework

RFC 6750 — Bearer Token Usage

RFC 7009 — Token Revocation

RFC 7636 — PKCE (mandatory for public clients)

RFC 7662 — Token Introspection

RFC 8414 — Authorization Server Metadata (/.well-known/oauth-authorization-server)

RFC 8628 — Device Authorization Grant (/api/oauth/device_authorization)

Token theft detection follows RFC 6819 §5.2.2.3 — refresh token rotation is single-use, and replay revokes the entire token chain for that user+app.

Third-party API & OAuth integration

What this is

Where to start

Sixty-second example

RFC compliance

Status

Third-party API & OAuth integration

What this is

Where to start

Sixty-second example

RFC compliance

Status