OAuth 2.1 with PKCE lands for API access
Today, we're adding OAuth to the Resend API. Your app opens an authorization URL, the user approves it on Resend's own consent screen, and you get scoped access tokens back. No API keys change hands, and users can revoke access at any time.
Resend implements OAuth 2.1 with PKCE, plus Dynamic Client Registration for clients like MCP hosts that can't know their deployment details ahead of time.
What you can build with it
- Desktop and CLI tools: register a loopback client, open the browser, and send on the user's behalf without ever touching their API key.
- Hosted integrations: let users click "Connect Resend" in your product and grant scoped access.
- Agents and MCP hosts: register dynamically at runtime and request the minimum scope they need.
Integrations already in the ecosystem
The ecosystem is already growing. Today, we launch with two third-party integrations operational.
Pop by Charm
Pop is a CLI tool for sending email from your terminal with a TUI or CLI, delivered through Resend, now authenticated through OAuth.
Raycast Resend Extension
Raycast is a favorite tool for so many builders, creators, and developers. The Raycast Resend extension now supports OAuth to enable managing API keys, domains, audiences, contacts, and emails without leaving Raycast.
How it works
For the full walkthrough, including both remote and local options, see Building an OAuth client for Resend.
1. Register your client
Call the Register Client endpoint to dynamically register your OAuth client. Request the smallest scope that works:
emails:sendcovers send-only routes likePOST /emailsandPOST /broadcasts/:id/send.full_accessis required for every other route.
2. Generate PKCE values and send the user to authorize
Every authorization code exchange requires PKCE, so generate a code_verifier, its code_challenge, and a state value before you redirect.
3. Exchange the code for tokens
Send the original code_verifier using the preferred form encoding. You get back a JWT access token and an opaque refresh token.
4. Call the API with the access token
Pass the access token as a Bearer token to any route your scope allows. Access tokens expire after 15 minutes. Refresh them with the refresh token, which rotates on every use.
Users stay in control
Users can review and revoke any app's access from their Resend account's Team settings. You can also revoke a grant yourself by revoking its refresh token.
Conclusion
OAuth turns Resend into something users can safely plug into any app, and it's the same foundation behind our remote MCP server.

Fetched July 15, 2026


