Authorization header:
Obtaining a token
Link runs on Hellgate-managed infrastructure and authenticates with the platform OAuth2 flow. Exchange your client credentials for an access token, then send it as a bearer token. Your instance’s audience is its instance name — the{instance} slug from your base URL — and you request it together with the scopes your client needs:
audience=my-specter-instance my-link-instance). See
Composition for details.
See Platform Authentication for the token endpoint, audiences, and the
client-credentials request.
Scopes
Each endpoint requires a specific scope. Issue every token with the least privilege it needs — runtime clients should hold onlyinvoke:execute, while configuration and operations belong to separate admin clients.
| Scope | Grants |
|---|---|
invoke:execute | Invoke protocol actions (/api/invoke/{protocol}/{action}) |
admin:protocols:read | Read protocols, requirements, and generated specs |
admin:protocols:write | Create, import, and delete protocols |
admin:backends:read | Read backends |
admin:backends:write | Create, update, delete, and rotate credentials on backends |
admin:managed-backends:write | Manage Hellgate-operated (managed) backends and their secrets |
admin:keys:read | Read message-level-encryption keys |
admin:keys:write | Create, update, delete, and rotate encryption keys |
admin:executions:read | Read execution audit logs |
Runtime and admin scopes serve different audiences. Grant
invoke:execute to your payment or decisioning
integration; reserve the admin:* scopes for operator and back-office clients that configure protocols,
backends, and keys.Next steps
Quickstart
Use your token to import a protocol, register a backend, and invoke an action.