OAuth Credentials
Sosyabot resolves OAuth app credentials in this order: per-platform admin override (in Options) → ENV variable. The admin panel exposes the override layer so you can rotate keys without redeploying.
Sixteen integration pages
Every supported provider has a dedicated form under /admin/api-integration/<provider>:
x-twitter,facebook,instagram(shares Facebook),linkedin,tiktok,threadsbluesky,mastodon,pinterest,youtube,redditdiscord,slack,telegramqevron,listmonk,online-media-search(Unsplash / Pexels / Pixabay)
Storage keys
| Provider | Keys |
|---|---|
| X (Twitter) | x-twitter_client-id, x-twitter_client-secret |
| Facebook + Instagram | facebook_app-id, facebook_app-secret (Instagram shares these) |
linkedin_client-id, linkedin_client-secret | |
| TikTok | tiktok_client-key, tiktok_client-secret |
| Threads | threads_app-id, threads_app-secret |
pinterest_app-id, pinterest_app-secret | |
| YouTube | youtube_client-id, youtube_client-secret |
reddit_client-id, reddit_client-secret, reddit_user-agent | |
| Discord | discord_client-id, discord_client-secret, discord_bot-token |
| Slack | slack_client-id, slack_client-secret, slack_signing-secret |
| Mastodon | none — uses ENV MASTODON_INSTANCE_URL / MASTODON_CLIENT_KEY / MASTODON_CLIENT_SECRET; apps auto-registered per instance |
| Bluesky | none — uses ENV BLUESKY_SERVICE_URL; per-user app password at connect time |
| Telegram | none — per-user bot token at connect time |
| Listmonk | listmonk_base-url, listmonk_api-key, listmonk_username, listmonk_password |
| Qevron | qevron_api-base-url, qevron_api-key |
| Online Media Search | unsplash_access-key, unsplash_secret-key, pexels_api-key, pixabay_api-key |
Each provider also has a <provider>_integration_status key (enable / disable). Secret-type fields are masked in the list view and cleared after save (click Change to re-enter). See ENV Reference for the analogous env vars.
Test endpoint
Each form has a Test button that calls:
GET /api/v1/options/test/oauth/:providerThe test fetches a token (or makes a getMe-style call) using the configured credentials and reports success or the upstream error inline.
When admin overrides take effect
Most platforms re-read credentials on the next OAuth callback — no restart needed. The Twitter (passport) strategy is the exception: it's reloaded automatically when X credentials change.