Vista Social supports an OAuth 2.0 authorization server that lets third-party apps authenticate users and obtain access on their behalf using the Authorization Code flow with PKCE (S256), returning an authorization code and preserving state for request correlation and CSRF protection. Apps exchange the code (with a PKCE verifier) for opaque Bearer access and refresh tokens, and can later rotate tokens using the refresh token grant. We also support the client credentials grant for server-to-server use cases, and a legacy password grant for internal/controlled scenarios. OAuth discovery metadata is exposed for clients that can auto-configure from standard authorization-server metadata.
For full implementation guidance, examples, and API reference, see the documentation at https://apidocs.vistasocial.com/