What authentication method does the Pocket API use?

The Pocket API uses OAuth 1.0a for all third-party application authentication. This protocol ensures secure delegation of authorization without sharing user credentials directly with client applications.

How do I get a consumer key for the Pocket API?

You must request a consumer key by registering your application on the Pocket Developer portal. After providing details about your application, Pocket will issue a unique key.

Is user authorization always required for Pocket API access?

Yes, user authorization is mandatory. After obtaining a consumer key, your application must direct the user to Pocket's authorization page to grant explicit permission, which then provides an access token.

How should I store Pocket API credentials like access tokens?

Access tokens and secrets should be stored securely on your server-side, preferably in an encrypted database or secure credential store. Avoid storing them client-side in plain text.

Can I use basic authentication with a username and password for the Pocket API?

No, the Pocket API does not support basic authentication with a username and password. It exclusively uses the OAuth 1.0a protocol for secure, delegated access.

What is the purpose of signing API requests in Pocket's OAuth 1.0a?

Signing API requests ensures the integrity and authenticity of each request. It prevents tampering and verifies that the request originates from your authorized application, using your consumer secret and the user's access token secret.

Pocket Authentication: Methods, Credentials, and Security (2026)

Pocket authentication primarily uses OAuth for its API, allowing third-party applications to integrate securely by obtaining a consumer key and user authorization. This standard method ensures that user credentials are not directly exposed to client applications.

Authentication overview

Pocket provides an API that allows developers to integrate its core functionality—saving and retrieving articles—into third-party applications. Authentication for the Pocket API is primarily handled through the OAuth 1.0a protocol, which is an open standard for delegated authorization. This protocol enables applications to obtain limited access to user accounts on an HTTP service without requiring users to disclose their credentials to the third-party application itself OAuth 1.0 Protocol Overview. Instead, users grant specific permissions directly to Pocket, which then issues access tokens to the client application.

This approach enhances security by separating the authentication process from the authorization process. When an application needs to interact with a user's Pocket account, it first requests a consumer key from Pocket. Subsequently, the application directs the user to Pocket's authorization page, where the user explicitly grants permission. Upon successful authorization, Pocket provides the application with an access token and an access token secret, which are then used to sign subsequent API requests. This ensures that only authorized applications can perform actions on behalf of a user, and the user maintains control over which applications have access to their data.

Supported authentication methods

The Pocket API exclusively supports OAuth 1.0a for authenticating third-party applications. This method is designed to provide secure access to user data while protecting user credentials. The workflow involves several steps, including obtaining a consumer key, requesting an unauthorized request token, redirecting the user for authorization, and finally exchanging the authorized request token for an access token and access token secret.

Method	When to Use	Security Level
OAuth 1.0a	Integrating third-party applications with the Pocket API to save or retrieve user items.	High. Delegates authorization without sharing user credentials, uses signed requests.

Each API request made using OAuth 1.0a must be cryptographically signed. This signature ensures the integrity and authenticity of the request, preventing tampering and unauthorized access. The signature is generated using a combination of the consumer secret and the access token secret, along with other request parameters, and is included in the request header. This robust security mechanism is a key feature of the OAuth 1.0a specification RFC 5849: The OAuth 1.0 Protocol.

Getting your credentials

To begin integrating with the Pocket API, developers must first obtain a consumer key. This key identifies your application to Pocket and is essential for all subsequent authentication steps. The process for acquiring a consumer key involves making a request through the Pocket developer portal.

Access the Pocket Developer Page: Navigate to the Pocket Developer portal.
Request a Consumer Key: Follow the instructions to create a new application and request a consumer key. You will typically need to provide details about your application, such as its name, description, and redirect URI.
Receive Your Consumer Key: Once your application is approved, Pocket will issue a unique consumer key. This key, along with a consumer secret (often implicitly derived or tied to the key in OAuth 1.0a implementations), will be used to sign your initial requests for a request token.
User Authorization: After obtaining the consumer key, your application will need to facilitate user authorization. This involves:

Making an API call to request an unauthorized request token.
Redirecting the user to a Pocket authorization URL, where they log in and explicitly grant your application permission.
Receiving a callback from Pocket with an authorized request token.
Exchanging the authorized request token for a permanent access token and access token secret.

The consumer key is unique to your application and should be treated as a sensitive credential. The access token and access token secret, obtained after user authorization, are specific to a user and your application, allowing your application to act on that user's behalf. It is crucial to store these credentials securely and prevent unauthorized access.

Authenticated request example

Once you have obtained an access token and access token secret for a user, you can make authenticated API requests. All requests must be signed according to the OAuth 1.0a specification. While the exact implementation details depend on your chosen programming language and OAuth library, the fundamental steps involve constructing a base string, signing it, and adding the signature to the request header. Here's a conceptual example using a pseudocode-like structure for retrieving a user's items:

// Assume you have:
// consumer_key = "your_consumer_key"
// consumer_secret = "your_consumer_secret" // (often derived or handled by OAuth library)
// access_token = "user_access_token"
// access_token_secret = "user_access_token_secret"

// API Endpoint
const api_url = "https://getpocket.com/v3/get";

// Request Parameters (e.g., to retrieve unread items)
const params = {
    consumer_key: consumer_key,
    access_token: access_token,
    state: "unread",
    detailType: "complete"
};

// OAuth 1.0a Signature Process (handled by an OAuth library)
// 1. Generate a nonce and timestamp.
// 2. Construct a base string from HTTP method, base URL, and normalized parameters.
// 3. Sign the base string using HMAC-SHA1 with consumer_secret & access_token_secret.
// 4. Encode the signature and other OAuth parameters into the Authorization header.

// Example using a hypothetical 'oauth_signer' utility
const oauth_header = oauth_signer.generate_authorization_header(
    "POST", 
    api_url, 
    params, 
    consumer_key, 
    consumer_secret, 
    access_token, 
    access_token_secret
);

// Make the HTTP POST request
fetch(api_url, {
    method: "POST",
    headers: {
        "Content-Type": "application/json",
        "X-Accept": "application/json",
        "Authorization": oauth_header
    },
    body: JSON.stringify(params) // Body might also contain parameters depending on API
})
.then(response => response.json())
.then(data => {
    console.log("Pocket items:", data.list);
})
.catch(error => {
    console.error("Error fetching Pocket items:", error);
});

This example illustrates the conceptual flow. In a real-world scenario, you would use a well-vetted OAuth 1.0a library in your chosen language (e.g., oauth-1.0a for Node.js, requests-oauthlib for Python) to handle the complexities of signature generation and header construction, ensuring compliance with the protocol Pocket API Getting Started Guide.

Security best practices

When integrating with the Pocket API and handling user data, adhering to security best practices is paramount to protect both your application and your users. The use of OAuth 1.0a inherently provides a strong security foundation, but developers must implement it correctly.

Protect Your Consumer Key and Secret: Your application's consumer key and any associated secret are its primary identifiers. Never hardcode these credentials directly into client-side code (e.g., JavaScript in a web browser or mobile app). Instead, store them in a secure server-side environment or use environment variables.
Securely Store Access Tokens and Secrets: After a user authorizes your application, you receive an access token and access token secret. These credentials grant your application persistent access to the user's Pocket account. Store them securely in an encrypted database or a secure credential store. Avoid storing them in plain text or client-side storage like local storage or cookies, where they could be vulnerable to XSS attacks.
Use HTTPS Everywhere: Always communicate with the Pocket API over HTTPS. This encrypts all data in transit, protecting sensitive information like access tokens and API request bodies from eavesdropping and man-in-the-middle attacks. This is a fundamental security practice for any API integration Google Developers: Why HTTPS Matters.
Implement Proper Error Handling: Do not expose detailed error messages that could reveal sensitive information about your application's internal workings or user data. Log errors securely on your server and provide generic, user-friendly error messages to the client.
Validate Redirect URIs: When configuring your application in the Pocket developer portal, specify a precise redirect URI. This prevents attackers from intercepting authorization codes or tokens by redirecting users to malicious sites.
Least Privilege Principle: Request only the necessary permissions from users. If your application only needs to save items, do not request permissions to modify or delete them. This limits the potential impact if your application's credentials are ever compromised.
Regular Audits and Updates: Periodically review your application's security posture and keep your OAuth libraries and dependencies updated to patch any known vulnerabilities.

Pocket Authentication: Methods, Credentials, and Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by