Skip to main content

Authorization

The HoopAI Platform supports the Authorization Code Grant flow with v2 APIs. Follow the step-by-step procedure below to use and understand the OAuth 2.0 flow.

1. Register an OAuth app

  1. Go to the Marketplace
  2. Sign up for a developer account.
  3. Go to “My Apps,” and click on “Create App.”
  4. Fill up the required details in the form, then your app will be created.
  5. Click on the app, and it will take you to settings where you can configure the scopes, generate the keys, etc.

2. Add the app to your desired location

  1. Make the location/agency Admin go to the app’s Authorization Page URL.
  2. They select the location they want to connect.
  3. They are redirected to the redirect URL with the Authorization Code.
  4. Use the Authorization Code to get the Access token via the Get Access Token API under OAuth 2.0.
  5. Use the Access Token to call any API.

3. Get the app’s Authorization Page URL

To generate the Authorization Page URL for an app, replace the client_id, redirect_uri, and scope in the template below. Then, redirect the location/agency admin trying to install your app to the URL. Standard Auth URL flow: 
https://marketplace.gohighlevel.com/oauth/chooselocation?
response_type=code&
redirect_uri=https://myapp.com/oauth/callback/gohighlevel&
client_id=CLIENT_ID&
scope=conversations/message.readonly conversations/message.write
White-labeled Auth URL flow: 
https://marketplace.leadconnectorhq.com/oauth/chooselocation?
response_type=code&
redirect_uri=https://myapp.com/oauth/callback/gohighlevel&
client_id=CLIENT_ID&
scope=conversations/message.readonly conversations/message.write
For users who are not logged in at the time of giving consent, the developer has the option to initiate login in a new tab or the same tab. To initiate login in the same tab, append &loginWindowOpenMode=self to the authorization URL. If this query parameter is not passed, login in a new tab is the default.
When a user grants access, their browser is redirected to the specified redirect URI with the Authorization Code in the code query parameter: 
https://myapp.com/oauth/callback/gohighlevel?code=7676cjcbdc6t76cdcbkjcd09821jknnkj

OAuth FAQs

How long are the access tokens valid?

Access tokens are valid for one day. After that, you can use the refresh token to get a new access token, which will also be valid for another day.

How long are the refresh tokens valid?

Refresh tokens are valid for a year unless they are used. If they are used, the new refresh token is valid for a year as well.

How should we handle token expiry?

You should:
  1. Make a request to any API using the accessToken.
  2. If you get a response saying the token is expired, refresh the token using the refresh API and save the new access token and refresh token in your database.
  3. Make the request again with the new accessToken.
You can write a wrapper function on your end to achieve this and use it for all API calls.

What are the current rate limits for API 2.0?

The HoopAI Platform has implemented rate limits on public V2 APIs using OAuth to ensure optimal performance and stability:
  • Burst limit: A maximum of 100 API requests per 10 seconds for each Marketplace app per resource (Location or Company).
  • Daily limit: 200,000 API requests per day for each Marketplace app per resource (Location or Company).
To monitor your usage, refer to the following API response headers:
HeaderDescription
X-RateLimit-Limit-DailyYour daily limit
X-RateLimit-Daily-RemainingRemaining requests for the day
X-RateLimit-Interval-MillisecondsTime interval for burst requests
X-RateLimit-MaxMaximum request limit in the specified time interval
X-RateLimit-RemainingRemaining requests in the current time interval
Example: If your app is installed on two locations (Sub-account A and Sub-account B), the rate limits for each location are independent:
  1. Sub-account A: 200,000 API requests per day and 100 API requests per 10 seconds.
  2. Sub-account B: 200,000 API requests per day and 100 API requests per 10 seconds.
Last modified on March 4, 2026