Prerequisites
You’ll need a Developer Portal account. Use the Developer Portal to create a test operator, manage API access for a connected operator account, or create a partner app. You do not need to connect a real operator account just to explore the API.Choose your connection method
Stora supports two ways to authenticate. Both use the same scopes and the sameAuthorization: Bearer <token> header — they differ in how you get the token.
Access tokens
A static secret key you generate in the Developer Portal. Use it immediately in requests — no token exchange needed. Good for: scripts, internal tools, quick automations, exploring the API.| Setup | Generate in the Developer Portal |
| Security | The token is long-lived. Store it securely. |
| Expiry | Configurable when you create it |
| Scopes | Configurable, can be modified later |
OAuth 2.0 applications
Short-lived access tokens issued via the OAuth 2.0 standard. Supports two grant types:- Client Credentials — server-to-server, no user interaction required
- Authorization Code — for partner integrations where an operator authorises your app
| Setup | Create or manage credentials in the Developer Portal |
| Security | Tokens are short-lived (2 hours) |
| Expiry | Automatic — request or refresh tokens as needed |
| Scopes | Configurable, can be modified later |
Option A: Access token
Open the Developer Portal
Go to
developer.stora.co and choose the flow that matches your work: Testing / looking around, Manage accounts, or Create partner app.Option B: OAuth 2.0 — Client Credentials
Use this when your server needs to talk to Stora without user interaction.Open the Developer Portal
Go to
developer.stora.co and choose Testing / looking around for test credentials, Manage accounts for a connected operator account, or Create partner app for a multi-operator integration.Create or select an operator context
Use a test operator for exploration. Use Manage accounts when you need credentials for a specific real operator.
Create Client Credentials
Create OAuth 2.0 Client Credentials and select the scopes your application needs.
access_token in subsequent requests. It expires after 2 hours (expires_in: 7200) — request a new one before it does.
Option C: OAuth 2.0 — Authorization Code
Use this when building a partner integration where an operator’s staff member authorises your app to access their data.Step 1: Redirect the user to authorise
Direct the user’s browser to:redirect_uri with an authorisation code:
Step 2: Exchange the code for tokens
Refreshing tokens
Access tokens expire after 2 hours. Use the refresh token to get a new one without requiring the user to re-authorise:access_token and a new refresh_token. The previous refresh token is revoked.
PKCE (optional)
PKCE (Proof Key for Code Exchange) protects the Authorization Code flow against code interception. Use it when your OAuth client is a single-user application running on a user-owned device — a mobile app, a desktop app, or a CLI tool. Generate acode_verifier and code_challenge before redirecting:
code_verifier when exchanging the code: