Build your first integration
Go from zero to your first authenticated API call. The flow is OAuth 2.0 authorization code with PKCE.
Register an app
Create an app to get a client_id. Choose Confidential for a server-side app (you also get a client_secret) or Public for an SPA / mobile / CLI that uses PKCE only. Add your redirect URI and request the scopes you need.
Generate a PKCE verifier & challenge
PKCE protects the authorization code in transit. Generate a random code_verifier and derive the code_challenge from its SHA-256.
# 1. Create a high-entropy verifier
code_verifier=$(openssl rand -base64 64 | tr -d '\n=+/' | cut -c1-64)
# 2. Derive the challenge (base64url of its SHA-256)
code_challenge=$(printf "%s" "$code_verifier" \
| openssl dgst -sha256 -binary \
| openssl base64 | tr '+/' '-_' | tr -d '=')Send the user to authorize
Redirect the founder to the authorize endpoint with your client_id, redirect URI, scopes, a random state, and the challenge. They approve the scopes; Arx redirects back with a ?code=.
https://api.foundersarx.com/oauth/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://your-app.com/oauth/callback
&scope=company:read%20captable:read
&state=RANDOM_STATE
&code_challenge=BASE64URL_SHA256_OF_VERIFIER
&code_challenge_method=S256Exchange the code for tokens
POST the code plus your code_verifier to the token endpoint. Confidential apps also send the client_secret. You get an access_token (and a refresh_token if you requested offline_access).
curl -X POST https://api.foundersarx.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=authorization_code \
-d code=THE_CODE_FROM_REDIRECT \
-d redirect_uri=https://your-app.com/oauth/callback \
-d client_id=YOUR_CLIENT_ID \
-d client_secret=YOUR_CLIENT_SECRET \
-d code_verifier=$code_verifierCall the API
Send the access token as a bearer token. Pick the workspace with the x-arx-company header. Here we read the cap table.
curl https://api.foundersarx.com/api/v1/cap-table \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "x-arx-company: COMPANY_ID"That’s it — you’re integrated. Explore every endpoint in the reference.
Open the API reference