releases.shpreview

OAuth 2.1 with PKCE lands for API access

1 featureThis release1 featureNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

Today, we're adding OAuth to the Resend API. Your app opens an authorization URL, the user approves it on Resend's own consent screen, and you get scoped access tokens back. No API keys change hands, and users can revoke access at any time.

Resend implements OAuth 2.1 with PKCE, plus Dynamic Client Registration for clients like MCP hosts that can't know their deployment details ahead of time.

What you can build with it

  • Desktop and CLI tools: register a loopback client, open the browser, and send on the user's behalf without ever touching their API key.
  • Hosted integrations: let users click "Connect Resend" in your product and grant scoped access.
  • Agents and MCP hosts: register dynamically at runtime and request the minimum scope they need.

Integrations already in the ecosystem

The ecosystem is already growing. Today, we launch with two third-party integrations operational.

Pop by Charm

Pop is a CLI tool for sending email from your terminal with a TUI or CLI, delivered through Resend, now authenticated through OAuth.

Raycast Resend Extension

Raycast is a favorite tool for so many builders, creators, and developers. The Raycast Resend extension now supports OAuth to enable managing API keys, domains, audiences, contacts, and emails without leaving Raycast.

How it works

For the full walkthrough, including both remote and local options, see Building an OAuth client for Resend.

1. Register your client

Call the Register Client endpoint to dynamically register your OAuth client. Request the smallest scope that works:

  • emails:send covers send-only routes like POST /emails and POST /broadcasts/:id/send.
  • full_access is required for every other route.

2. Generate PKCE values and send the user to authorize

Every authorization code exchange requires PKCE, so generate a code_verifier, its code_challenge, and a state value before you redirect.

3. Exchange the code for tokens

Send the original code_verifier using the preferred form encoding. You get back a JWT access token and an opaque refresh token.

4. Call the API with the access token

Pass the access token as a Bearer token to any route your scope allows. Access tokens expire after 15 minutes. Refresh them with the refresh token, which rotates on every use.

Users stay in control

Users can review and revoke any app's access from their Resend account's Team settings. You can also revoke a grant yourself by revoking its refresh token.

Conclusion

OAuth turns Resend into something users can safely plug into any app, and it's the same foundation behind our remote MCP server.

OAuth Support

Fetched July 15, 2026