Overview
The ZetPin Developer API lets external platforms act on behalf of ZetPin users — publish hyperlocal posts, read them, and pull engagement analytics — through a standard OAuth 2.0 + PKCE flow.
What it is
ZetPin is a hyperlocal super app. The Developer API (v1) is the public, OAuth 2.0 surface that lets another product publish posts to a user's neighborhood, list and read that user's posts, and pull per-post engagement metrics — all with the user's explicit consent. There are no direct database writes and no shared credentials: every integration, first-party or third-party, goes through the same authorization-code flow and the same set of scoped, short-lived Bearer tokens.
Who it's for
The API powers UniPostudio, ZetPin's first-party publishing client, and is open to any third-party developer building on top of ZetPin. Users and subscriptions stay separate across products; they connect only through the explicit OAuth account-linking flow. First-party clients run on the exact same security model as everyone else — they simply carry higher quotas.
Base URLs
| Purpose | URL |
|---|---|
| OAuth endpoints | https://api.zetpin.com/oauth |
| API v1 | https://api.zetpin.com/dev/v1 |
The auth model in one paragraph
You redirect the user to /oauth/authorize with your client_id, requested scopes, and (for public clients) a PKCE challenge. The user signs in with a phone OTP on ZetPin's consent page and approves. ZetPin redirects back to your registered redirect_uri with a single-use authorization code, which you exchange at /oauth/token for a zpat_ access token (1 hour) and a zprt_ refresh token (30 days, rotates on every use). You then call /dev/v1 endpoints with the access token as a Bearer credential.
curl https://api.zetpin.com/dev/v1/me \
-H "Authorization: Bearer zpat_xxx"Getting credentials
App registration is admin-managed today (manual partner onboarding). To get aclient_id and client_secret, email developers@zetpin.com. A self-serve developer dashboard is on the roadmap.Next steps
- Quickstart — an end-to-end walkthrough from redirect to a published post.
- OAuth 2.0 flow — the authorization-code flow, endpoints, and client types.
- PKCE — generate a code verifier and challenge (mandatory for public clients).
- Scopes — what each of the four scopes grants.
- Endpoints — the full API reference.