Skip to content

OAuth Credentials

Sosyabot resolves OAuth app credentials in this order: per-platform admin override (in Options) → ENV variable. The admin panel exposes the override layer so you can rotate keys without redeploying.

Sixteen integration pages

Every supported provider has a dedicated form under /admin/api-integration/<provider>:

  • x-twitter, facebook, instagram (shares Facebook), linkedin, tiktok, threads
  • bluesky, mastodon, pinterest, youtube, reddit
  • discord, slack, telegram
  • qevron, listmonk, online-media-search (Unsplash / Pexels / Pixabay)

Storage keys

ProviderKeys
X (Twitter)x-twitter_client-id, x-twitter_client-secret
Facebook + Instagramfacebook_app-id, facebook_app-secret (Instagram shares these)
LinkedInlinkedin_client-id, linkedin_client-secret
TikToktiktok_client-key, tiktok_client-secret
Threadsthreads_app-id, threads_app-secret
Pinterestpinterest_app-id, pinterest_app-secret
YouTubeyoutube_client-id, youtube_client-secret
Redditreddit_client-id, reddit_client-secret, reddit_user-agent
Discorddiscord_client-id, discord_client-secret, discord_bot-token
Slackslack_client-id, slack_client-secret, slack_signing-secret
Mastodonnone — uses ENV MASTODON_INSTANCE_URL / MASTODON_CLIENT_KEY / MASTODON_CLIENT_SECRET; apps auto-registered per instance
Blueskynone — uses ENV BLUESKY_SERVICE_URL; per-user app password at connect time
Telegramnone — per-user bot token at connect time
Listmonklistmonk_base-url, listmonk_api-key, listmonk_username, listmonk_password
Qevronqevron_api-base-url, qevron_api-key
Online Media Searchunsplash_access-key, unsplash_secret-key, pexels_api-key, pixabay_api-key

Each provider also has a <provider>_integration_status key (enable / disable). Secret-type fields are masked in the list view and cleared after save (click Change to re-enter). See ENV Reference for the analogous env vars.

Test endpoint

Each form has a Test button that calls:

GET /api/v1/options/test/oauth/:provider

The test fetches a token (or makes a getMe-style call) using the configured credentials and reports success or the upstream error inline.

When admin overrides take effect

Most platforms re-read credentials on the next OAuth callback — no restart needed. The Twitter (passport) strategy is the exception: it's reloaded automatically when X credentials change.