Before you start
You should have:x-api-key(dk_live_…) andx-api-secret(ds_…) for your app — these double as your OAuth client ID / client secret (see Authentication and Apply for API Access)- A registered redirect URI. For this walkthrough we’ll use Postman’s callback — add
https://oauth.pstmn.io/v1/callbackto your app’s Redirect URIs in the Integrations Portal first (it takes effect instantly) - A real Daysync user account (sign up at app.daysync.com if you don’t have one)
- Terminal access with
curl,jq, andopenssl
Step 1 — Generate a PKCE pair
PKCE (S256) is required on every authorization. Generate acode_verifier and its code_challenge:
Step 2 — Get a user authorization code
Open this URL in a browser (the line breaks are for reading; remove them before pasting):code value out of the URL bar.
Step 3 — Exchange the code for tokens
Authenticate the client with HTTP Basic auth (-u) using your API key and secret, and include the PKCE code_verifier:
scope as the authoritative record of what the user consented to, and expires_in as the token’s real remaining life (it can be less than 3600 — refresh when it nears zero):
Step 4 — List the user’s organizations
This is the canonical first API call. Every integration starts here because every other resource is scoped to an organization.org_id for the next step:
Step 5 — List tours for that organization
Step 6 — Refresh the access token
Access tokens expire in ≈60 minutes. Refresh tokens last 30 days. Refresh with the same client credentials — no PKCE needed on refresh:scope). Keep reusing the refresh token until it expires after 30 days; when it does, the call fails with 400 invalid_grant and you send the user through the authorization flow again.
Going to production
What’s next
Common Workflows
End-to-end recipes — full tour setup, sync loops, guest list management.
Endpoint Reference
Every endpoint with request bodies, response shapes, and required scopes.
Scopes
Which scopes you need to request for each endpoint.
Errors
Every HTTP status code and machine-readable error code.
Trouble?
invalid_grant on token exchange
invalid_grant on token exchange
Authorization codes expire fast (~5 minutes) and are single-use, and the
code_verifier must match the code_challenge you sent in Step 2. Redo Step 1–2 for a fresh PKCE pair and code, then run Step 3 promptly.invalid_request: PKCE S256 (code_challenge) is required
invalid_request: PKCE S256 (code_challenge) is required
Your authorize URL is missing
code_challenge or code_challenge_method=S256. PKCE is mandatory — generate the pair in Step 1 and include both parameters.403 INSUFFICIENT_SCOPE
403 INSUFFICIENT_SCOPE
Your partner credentials weren’t issued with the scope this endpoint requires. Cross-reference the endpoint’s required scope on Scopes & Permissions, then email
support@daysync.com to request additional scopes.'This application's redirect URL is not registered'
'This application's redirect URL is not registered'
The
redirect_uri in your authorize URL isn’t on your app’s allowlist. Add it under Redirect URIs in the Integrations Portal — it takes effect immediately. See Callback URLs for the exact-match rules.
