Authentication
OAuth 2.0 client credentials — exchange a client id and secret for an access token, then Bearer it on every call.
The Node.js Hosting API is authenticated with OAuth 2.0 client credentials. Every operation expects an Authorization: Bearer <token> header, and every operation is gated on OAuth scopes.
The flow
Get a token
curl -X POST https://oauth.api.godaddy.com/v2/oauth2/token \
-u "$CLIENT_ID:$CLIENT_SECRET" \
-d "grant_type=client_credentials" \
-d "scope=hosting.paas.apps:read hosting.paas.apps:create hosting.paas.code:write hosting.paas.deploy:execute"The response contains an access_token, token_type (Bearer), and expires_in (seconds). Cache and reuse it until it expires — don't request a new token per call.
Call the API
curl "$BASE_URL/v1/hosting/nodejs/apps" \
-H "Authorization: Bearer $ACCESS_TOKEN"Scopes
Request scopes at token time; each operation requires the scope printed on it in the reference. Ask only for what you need — narrower tokens are easier to reason about when something goes wrong.
| Scope | What it unlocks |
|---|---|
hosting.paas.apps:read | List apps, read app detail, read deployments, read runtime status |
hosting.paas.apps:create | Create apps and poll creation job status |
hosting.paas.apps:update | Update app metadata (name, root path) |
hosting.paas.apps:delete | Delete apps |
hosting.paas.code:write | Upload zip source and poll upload jobs |
hosting.paas.deploy:execute | Publish and roll back deployments |
hosting.paas.secrets:write | List and manage per-variant secrets |
hosting.paas.logs:read | Read application and build logs |
hosting.paas.analytics:read, hosting.paas.code:read, hosting.paas.github:execute, and hosting.paas.health:read also appear in the token server's scope list but do not currently gate any endpoint in this API. Don't request them unless a future release documents corresponding operations.
Token handling checklist
- Never commit client secrets to version control. Store them in a secrets manager or your platform's secret store.
- Refresh proactively — request a new token when the current one has less than a minute of life left.
- Treat
401as either an expired token (refresh and retry once) or an insufficient scope (fatal — request the missing scope on the next token exchange). - Log the scope required by a failed operation so you can widen the scope list without guessing.
See also
Getting started
See the token exchange in a full end-to-end deploy.
API reference
Every endpoint with the required scope inline.
Agent & Automation Notes
hosting.paas.apps:read, hosting.paas.apps:create, hosting.paas.apps:update, hosting.paas.apps:delete, hosting.paas.code:write, hosting.paas.deploy:execute, hosting.paas.secrets:write, hosting.paas.logs:readRelated
Last updated on
How is this guide?