Skip to main content
Speckle supports multiple authentication mechanisms for different use cases. Choose the right method based on whether you’re building a single-user tool, a multi-user web application, or a server-side integration.

Authentication Methods

Speckle supports multiple authentication mechanisms for different use cases. Choose the right method based on whether you’re building a single-user tool, a multi-user web application, or a server-side integration.
  • Personal Access Tokens (PATs): PATs can be generated in the user profile settings and provide a simple way to authenticate without needing to implement a token exchange on demand. However, they should be kept secure and should not be used for multi-user applications or public-facing apps, as they are tied to a single user and can be easily compromised if not handled properly.
  • OAuth2 Authorization Code Flow with PKCE: This is the recommended method for web applications that need to authenticate multiple users. PKCE enhances security by ensuring authorization codes cannot be intercepted or reused.

Use Personal Access Tokens

When:
  • Single-user tools or scripts
  • Server-side applications
  • Automation and CI/CD
  • Personal development projects

Use OAuth2 with PKCE

When:
  • Multi-user web applications
  • Public-facing apps
  • Third-party integrations
  • Apps requiring user consent

Security Best Practices

Token Management

Treat all tokens as sensitive information. Proper token management is critical for security.
Do:
  • Store tokens in environment variables
  • Use .gitignore to exclude .env files
  • Rotate tokens periodically
  • Use scoped tokens with minimal permissions
  • Revoke tokens when no longer needed
  • Use secure storage (keychain, secret managers) in production
  • Implement token refresh for OAuth2 tokens
Don’t:
  • Commit tokens to version control
  • Share tokens between team members
  • Use PATs in client-side code (use OAuth instead)
  • Store tokens in plain text files
  • Use overly permissive scopes
  • Expose app secrets in client-side code
  • Log tokens in application logs

Token Compromise Response

If a token is compromised:
  1. Revoke immediately - Go to Settings → Developer → Access Tokens and revoke the compromised token
  2. Generate new token - Create a replacement with the same scopes
  3. Update application - Replace the token in your application
  4. Review access logs - Check for unauthorized access
  5. Rotate related credentials - If app secret was exposed, regenerate it

Community Resources

speckle-auth Package

For JavaScript/TypeScript developers, the community-maintained speckle-auth package simplifies the authentication process by providing utility functions for handling OAuth2 flows with Speckle. The package handles PKCE generation, state management, and token exchange automatically, making OAuth2 implementation much simpler. See the package documentation for installation and usage instructions.

Next Steps

Last modified on March 26, 2026