Use Login with Lockii when you want users to sign in with their Lockii account and let your app call Lockii on their behalf. This works for the REST API and the User MCP.
Configure in the app: Settings → Integrations → API
Method | Best for | Access level |
|---|---|---|
Login with Lockii (OAuth) | Third-party apps, user-delegated integrations, AI clients | Signed-in user's role & permissions |
API key | Server-to-server automation, Zapier, scripts | Company-level owner permissions |
Base URL: https://dash.lockii.app/api/v1
Start from protected resource metadata — most OAuth clients discover everything automatically from this URL:
https://dash.lockii.app/api/v1/.well-known/oauth-protected-resourceYou can also read authorization server metadata directly:
https://dash.lockii.app/api/v1/.well-known/oauth-authorization-serverEndpoint | URL |
|---|---|
Authorization |
|
Token |
|
Client registration |
|
Userinfo |
|
JWKS |
|
Scopes: openid profile email offline_access
Register your client — POST to the registration endpoint with your redirect_uris (dynamic client registration), or use credentials from an existing OAuth app.
Authorize — redirect the user to the authorization endpoint using OAuth 2.0 / OIDC with PKCE.
Sign in — the user signs in to Lockii and approves access on the consent screen.
Token exchange — exchange the authorization code at the token endpoint for an access token (and refresh token when offline_access is requested).
Call the API — send requests with:
Authorization: Bearer <access_token>Example:
curl https://dash.lockii.app/api/v1/booking?status=active&limit=10 \
-H "Authorization: Bearer <access_token>"For MCP clients, provide the MCP server URL. OAuth is discovered automatically:
https://dash.lockii.app/api/mcp/userMCP-specific OAuth discovery:
https://dash.lockii.app/api/mcp/user/.well-known/oauth-protected-resourceMCP clients (including ChatGPT and Claude) typically use dynamic client registration — you do not need to pre-share a client ID.
API keys still work as a fallback via x-api-key or ?api_key=....
OAuth requests run as the signed-in Lockii user.
Access is limited to that user's company, role, and location permissions.
Write operations still require the appropriate permissions for that user (e.g. payment refunds require organization:update).
Lockii REST API — full endpoint reference
User MCP — same capabilities as MCP tools for AI clients
Connecting Zapier — uses API keys, not OAuth