OAuth 2.0 | Brevo API Documentation

Brevo OAuth 2.0 lets your application request access to a user’s Brevo account with their consent. The user authenticates directly with Brevo — your app never handles their password.

API key vs OAuth 2.0

	API key	OAuth 2.0
Who authenticates	Your server	The end user
Best for	Server-to-server, direct integrations	Apps acting on behalf of users
Setup	Copy key from dashboard	`brevo app create`
Token lifetime	Until revoked	Access token: 1 hour · Refresh token: 30 days

How it works

Key concepts

Term	Description
`client_id`	Unique identifier for your OAuth app — safe to expose client-side
`client_secret`	Secret used to authenticate your app with Brevo — never expose this
`redirect_uri`	URL Brevo redirects to after the user authorizes — must be pre-registered
`scope`	Permissions your app requests — currently `all`
`access_token`	Bearer token included in API requests. Expires after 1 hour.
`refresh_token`	Used to obtain a new access token when the current one expires. Valid for 30 days.

OAuth apps are currently private only. A private app can only be authorized by users within your own Brevo organisation — it cannot be distributed to external users or listed in any marketplace. This makes it suitable for internal tools, automations, and integrations you build for your own team.

Support for public apps — where any Brevo user can authorize your integration — is planned for a future release.

Next steps

Quickstart

Get a working OAuth flow running locally in under 5 minutes.

Integration guide

Implement the full authorization code flow in your own application.

CLI reference

Complete reference for all brevo app commands and flags.