Getting startedAuthenticationOAuth 2.0

OAuth 2.0

Token-based authentication for Brevo integrations that act on behalf of a user

Brevo OAuth 2.0 lets your application request access to a user’s Brevo account with their consent. The user authenticates directly with Brevo — your app never handles their password.

API key vs OAuth 2.0

API keyOAuth 2.0
Who authenticatesYour serverThe end user
Best forServer-to-server, direct integrationsApps acting on behalf of users
SetupCopy key from dashboardbrevo app create
Token lifetimeUntil revokedAccess token: 1 hour · Refresh token: 30 days

How it works

Key concepts

TermDescription
client_idUnique identifier for your OAuth app — safe to expose client-side
client_secretSecret used to authenticate your app with Brevo — never expose this
redirect_uriURL Brevo redirects to after the user authorizes — must be pre-registered
scopePermissions your app requests, e.g. contacts:read or transactional.email:write. See Scopes.
access_tokenBearer token included in API requests. Expires after 1 hour.
refresh_tokenUsed to obtain a new access token when the current one expires. Valid for 30 days.

Scopes

Scopes are the permissions your app requests on a user’s Brevo account. Each scope follows the pattern {resource}:{action} — for example, contacts:read to list contacts or transactional.email:write to send transactional emails.

  • New apps created with brevo app create are seeded with contacts:read, contacts:write, crm:read, crm:write. Change them with brevo app update --scope <scope>.
  • :write does not imply :read. Request both if your app needs both.
  • Request the minimum your app needs — users see every requested scope on the consent screen.

See the Scopes reference for the full catalog and how to inspect a token’s scopes.

OAuth apps are currently private only. A private app can only be authorized by users within your own Brevo organisation — it cannot be distributed to external users or listed in any marketplace. This makes it suitable for internal tools, automations, and integrations you build for your own team.

Support for public apps — where any Brevo user can authorize your integration — is planned for a future release.

Next steps

Quickstart

Get a working OAuth flow running locally in under 5 minutes.

Integration guide

Implement the full authorization code flow in your own application.

Scopes

The full scope catalog, naming convention, and how to inspect a token.

CLI reference

Complete reference for all brevo app commands and flags.