API Authentication
Choose between personal access tokens or OAuth2 clients.
API Tokens
Generate tokens from Settings → API Keys. Include them using `Authorization: Bearer <token>`. Rotate keys regularly and revoke unused tokens immediately.
OAuth2
Register OAuth2 clients for multi-user integrations. TXH supports the authorization code flow with PKCE. All redirect URIs must use HTTPS in production.
Webhook Signatures
Each webhook includes an HMAC signature in `X-TXH-Signature`. Compute the digest using your secret to verify authenticity and guard against replay attacks.