The BetaTesting API supports two authentication methods: static API keys for simple integrations, and OAuth2 Client Credentials for applications that need scoped access control. Both methods use Bearer token authentication.
Choosing an Authentication Method
| Static API Key | OAuth2 Client Credentials |
Best for | Simple scripts, quick integrations, single-purpose tools | Production applications, multi-service architectures, fine-grained access control |
Setup | One-click — create and copy your key | Create client, then exchange credentials for a token |
Access scopes | Full read + write access | Configurable — read-only, write-only, or both |
Token lifecycle | Permanent until deleted or expired | Short-lived access tokens, refreshed via client credentials |
Limit | 1 per company | Up to 5 per company |
Static API Keys
A static API key is the simplest way to authenticate. It's a single token that you include in every API request.
Creating a Static API Key
Go to Company Settings > Integrations
In the API Clients section, click Create API Client
Select Static Token
Enter a descriptive name (e.g., "Jira Integration" or "Internal Dashboard")
Click Create
Your API key will be displayed once. Copy it immediately and store it securely - you won't be able to view it again.
Static API keys use the format: btst_ followed by a 64-character string (e.g., btst_a1b2c3d4...).
Using a Static API Key
Include your key in the Authorization header of every API request:
GET /api/external/v2/tests Authorization: Bearer btst_your_api_key_here
Static API keys grant both read and write access to all API endpoints.
OAuth2 Client Credentials
OAuth2 is the recommended approach for production applications. You create a client with a Client ID and Client Secret, then exchange those for a short-lived access token.
Creating an OAuth2 Client
Go to Company Settings > Integrations
In the API Clients section, click Create API Client
Select OAuth2
Enter a descriptive name
Click Create
You'll receive a Client ID and Client Secret. The secret is displayed once — copy and store it securely.
Obtaining an Access Token
Exchange your client credentials for an access token by calling the token endpoint:
POST /api/external/v2/oauth/token Content-Type: application/x-www-form-urlencoded grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &scope=api:read api:write
Available scopes:
api:read— Access to all GET endpoints (list and retrieve resources)api:write— Access to all mutation endpoints (create, update, delete resources)
You can request one or both scopes depending on your application's needs.
Response:
{ "token_type": "Bearer", "expires_in": 3600, "access_token": "eyJ0eXAiOiJKV1Q..." }
Using an OAuth2 Access Token
Include the access token in the Authorization header:
GET /api/external/v2/tests Authorization: Bearer eyJ0eXAiOiJKV1Q...
When the token expires, request a new one using your client credentials. Access tokens should not be cached beyond their expires_in duration.
Security Best Practices
Store Credentials Securely
Never hard-code API keys or client secrets in source code
Use environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault)
Never share credentials via email, chat, or version control
IP Allowlisting
Your BetaTesting account manager can configure an IP allowlist for your API clients. When enabled, API requests are only accepted from the specified IP addresses. This adds an extra layer of security for production deployments.
Token Expiration
Your account manager can set an expiration date on API clients. Expired clients are automatically rejected. This is useful for temporary integrations or time-limited access.
Least Privilege
When using OAuth2, request only the scopes your application needs. If your integration only reads data, use api:read only.
Rotate Credentials Regularly
If you suspect a credential has been compromised, delete the API client immediately from the Integrations page and create a new one.
API Base URL
All API requests use the following base URL:
https://betatesting.com/api/external/v2
Deleting API Clients
To revoke access for an API client:
Go to Company Settings > Integrations
Find the API client you want to remove
Click Delete
Confirm the deletion
All requests using that client's credentials will immediately return 401 Unauthorized.