ZetPinDevelopers

Overview

The ZetPin Developer API lets external platforms act on behalf of ZetPin users — publish hyperlocal posts, read them, and pull engagement analytics — through a standard OAuth 2.0 + PKCE flow.

What it is

ZetPin is a hyperlocal super app. The Developer API (v1) is the public, OAuth 2.0 surface that lets another product publish posts to a user's neighborhood, list and read that user's posts, and pull per-post engagement metrics — all with the user's explicit consent. There are no direct database writes and no shared credentials: every integration, first-party or third-party, goes through the same authorization-code flow and the same set of scoped, short-lived Bearer tokens.

Who it's for

The API powers UniPostudio, ZetPin's first-party publishing client, and is open to any third-party developer building on top of ZetPin. Users and subscriptions stay separate across products; they connect only through the explicit OAuth account-linking flow. First-party clients run on the exact same security model as everyone else — they simply carry higher quotas.

Base URLs

PurposeURL
OAuth endpointshttps://api.zetpin.com/oauth
API v1https://api.zetpin.com/dev/v1

The auth model in one paragraph

You redirect the user to /oauth/authorize with your client_id, requested scopes, and (for public clients) a PKCE challenge. The user signs in with a phone OTP on ZetPin's consent page and approves. ZetPin redirects back to your registered redirect_uri with a single-use authorization code, which you exchange at /oauth/token for a zpat_ access token (1 hour) and a zprt_ refresh token (30 days, rotates on every use). You then call /dev/v1 endpoints with the access token as a Bearer credential.

bash
curl https://api.zetpin.com/dev/v1/me \
  -H "Authorization: Bearer zpat_xxx"

Getting credentials

App registration is admin-managed today (manual partner onboarding). To get a client_id and client_secret, email developers@zetpin.com. A self-serve developer dashboard is on the roadmap.

Next steps

  • Quickstart — an end-to-end walkthrough from redirect to a published post.
  • OAuth 2.0 flow — the authorization-code flow, endpoints, and client types.
  • PKCE — generate a code verifier and challenge (mandatory for public clients).
  • Scopes — what each of the four scopes grants.
  • Endpoints — the full API reference.