Support
Hosting

Authentication

OAuth 2.0 client credentials — exchange a client id and secret for an access token, then Bearer it on every call.

The Node.js Hosting API is authenticated with OAuth 2.0 client credentials. Every operation expects an Authorization: Bearer <token> header, and every operation is gated on OAuth scopes.

The flow

Rendering diagram...

Get a token

curl -X POST https://oauth.api.godaddy.com/v2/oauth2/token \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  -d "scope=hosting.paas.apps:read hosting.paas.apps:create hosting.paas.code:write hosting.paas.deploy:execute"

The response contains an access_token, token_type (Bearer), and expires_in (seconds). Cache and reuse it until it expires — don't request a new token per call.

Call the API

curl "$BASE_URL/v1/hosting/nodejs/apps" \
  -H "Authorization: Bearer $ACCESS_TOKEN"

Scopes

Request scopes at token time; each operation requires the scope printed on it in the reference. Ask only for what you need — narrower tokens are easier to reason about when something goes wrong.

ScopeWhat it unlocks
hosting.paas.apps:readList apps, read app detail, read deployments, read runtime status
hosting.paas.apps:createCreate apps and poll creation job status
hosting.paas.apps:updateUpdate app metadata (name, root path)
hosting.paas.apps:deleteDelete apps
hosting.paas.code:writeUpload zip source and poll upload jobs
hosting.paas.deploy:executePublish and roll back deployments
hosting.paas.secrets:writeList and manage per-variant secrets
hosting.paas.logs:readRead application and build logs

hosting.paas.analytics:read, hosting.paas.code:read, hosting.paas.github:execute, and hosting.paas.health:read also appear in the token server's scope list but do not currently gate any endpoint in this API. Don't request them unless a future release documents corresponding operations.

Token handling checklist

  • Never commit client secrets to version control. Store them in a secrets manager or your platform's secret store.
  • Refresh proactively — request a new token when the current one has less than a minute of life left.
  • Treat 401 as either an expired token (refresh and retry once) or an insufficient scope (fatal — request the missing scope on the next token exchange).
  • Log the scope required by a failed operation so you can widen the scope list without guessing.

See also

Agent & Automation Notes

Scopeshosting.paas.apps:read, hosting.paas.apps:create, hosting.paas.apps:update, hosting.paas.apps:delete, hosting.paas.code:write, hosting.paas.deploy:execute, hosting.paas.secrets:write, hosting.paas.logs:read
Rate limit10–120 req/min per client IP depending on operation
DestructiveNo
On failureOAuth access tokens are short-lived. Refresh before expiry. Treat 401 as an expired token or a missing scope.

Related

Last updated on

How is this guide?

On this page