Skip to main content

Documentation Index

Fetch the complete documentation index at: https://open.manus.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Questions or issues? Contact us at api-support@manus.ai. Manus supports OAuth2 for third-party integrations that act on behalf of a user. OAuth apps are scoped to a team — only members of the same team can authorize the app.
Team only: OAuth app creation and authorization require a Team account. Personal accounts cannot create or authorize OAuth apps.

Overview

The implementation follows RFC 6749 (Authorization Code Grant) and RFC 7636 (PKCE). Three modes are supported:
ModeUse caseRequires client_secret
PKCE + Secret (Recommended)Backend with extra security (OAuth 2.1)Yes
SecretBackend servicesYes
PKCENative apps, CLIs, SPAsNo

Creating an OAuth app

Create an OAuth app from the Manus Integrations settings. Fill in the app name, description, redirect URIs, and homepage URL. After creation, you’ll receive a client_id and an initial client_secret. The secret is only shown once — store it securely.

Redirect URI rules

  • Must be an absolute URI (include scheme).
  • No wildcards (*). No fragments (#).
  • Forbidden schemes: javascript, data, file, about, vbscript.
  • http / https must include a host.
  • Custom schemes are allowed (e.g. com.example.app://oauth) for native apps.
  • Matched exactly at authorization time (RFC 6749 §3.1.2).

Scopes

Configure the scopes your app can request via UpdateOAuth2App: 
{
  "client_id": "client_xxx",
  "scope_config": {
    "scopes": ["create_task", "use_connectors"],
    "connector_uids": ["bbb0df76-..."]
  }
}

Available scopes

ScopeDescriptionNotes
create_taskCreate and manage tasksCan only access tasks created by this app
manage_all_tasksManage all of the user’s tasksBroad access — use only when necessary
create_projectCreate projects
use_connectorsUse third-party connectorsMust also specify connector_uids
use_my_browsersUse My Browser connectorIndependent from use_connectors
use_my_browsers is a separate scope from use_connectors — they do not overlap.

Task visibility by scope

Token scopeVisible tasks
create_taskOnly tasks created by this OAuth app (filtered by oauth_client_id)
manage_all_tasksAll of the user’s tasks
API KeyAll of the user’s tasks

Authorization flow

Step 1: Redirect to authorization

Send the user to: 
https://manus.im/openapi/oauth?client_id={client_id}
The consent page displays the app’s name, requested scopes, and connector list. The user reviews and approves.

Step 2: Receive the authorization code

After approval, the user is redirected to your registered callback: 
{redirect_uri}?code={code}&state={state}
Authorization code properties:
  • Format: code_{client_id}_{shortuuid}
  • Expires in 10 minutes
  • Single-use (atomic consumption, prevents replay)

Step 3: Exchange code for tokens

Also supports application/x-www-form-urlencoded and Authorization: Basic header for client credentials (RFC 6749 §2.3.1). Success response: 
{
  "access_token": "eyJhbGciOiJI...",
  "token_type": "Bearer",
  "expires_in": 86400,
  "refresh_token": "refresh_xxx_xxx_xxx",
  "scope": "create_task use_connectors"
}
FieldFormatLifetime
access_tokenJWT24 hours
refresh_tokenrefresh_{shortuuid}_{shortuuid}_{shortuuid}30 days

Step 4: Refresh tokens

curl -X POST https://api.manus.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "{refresh_token}",
    "client_id": "{client_id}",
    "client_secret": "{client_secret}"
  }'
  • PKCE + Secret flow: both client_secret and code_verifier are required for refresh.
  • Secret flow: client_secret is required for refresh.
  • PKCE flow: client_secret is not required for refresh.
  • Refresh atomically revokes the old token pair and issues new ones (prevents refresh token replay).

Token invalidation

A token is invalid when any of these apply:
  • Expired
  • Explicitly revoked
  • The associated OAuth app has been deleted
  • The app’s scopes were expanded (adding new scopes or connector UIDs invalidates all existing tokens)

Using OAuth tokens

Include the access token in the Authorization header: 
curl https://api.manus.ai/v2/task.list \
  -H "Authorization: Bearer {access_token}"

Available endpoints

OAuth tokens can access the following v2 endpoints. Each endpoint page lists its required scope.
EndpointRequired scope
task.createcreate_task or manage_all_tasks
task.detailcreate_task or manage_all_tasks
task.listcreate_task or manage_all_tasks
task.updatecreate_task or manage_all_tasks
task.stopcreate_task or manage_all_tasks
task.deletecreate_task or manage_all_tasks
task.sendMessagecreate_task or manage_all_tasks
task.listMessagescreate_task or manage_all_tasks
task.confirmActioncreate_task or manage_all_tasks
project.createcreate_project or manage_all_tasks
project.listcreate_project or manage_all_tasks
connector.listcreate_task or manage_all_tasks
skill.listcreate_task or manage_all_tasks
file.uploadcreate_task or manage_all_tasks
file.detailcreate_task or manage_all_tasks
file.deletecreate_task or manage_all_tasks
browser.onlineListuse_my_browsers
Endpoints not listed above — including agent.*, webhook.*, usage.*, and website.* — are API Key only and cannot be accessed with OAuth tokens.

Revoking tokens

App-side: revoke a single token (RFC 7009)

curl -X POST https://api.manus.ai/oauth/revoke \
  -H "Content-Type: application/json" \
  -d '{
    "token": "{access_token_or_refresh_token}",
    "token_type_hint": "access_token",
    "client_id": "{client_id}",
    "client_secret": "{client_secret}"
  }'
  • token_type_hint is optional (access_token or refresh_token) — optimizes lookup order.
  • Always returns HTTP 200 if client credentials are valid, regardless of whether the token exists (RFC 7009).
  • PKCE-issued tokens do not require client_secret for revocation.

User-side: revoke grants

Users can view and revoke authorized OAuth apps from Authorized Apps settings. Revoking an app invalidates all of its active tokens.

Connector authorization

If your app uses connectors (e.g. GitHub, Notion):
  1. App setup: Enable use_connectors scope and select the connectors your app needs in the Manus Integrations settings.
  2. User consent: The consent page shows the connector list. The user selects which connectors to authorize.
  3. Runtime: The token must have the use_connectors scope, and the specific connector must be within the user’s granted set.
If a user has not authorized a required connector, you can redirect them to the connector consent page to update their grants: 
https://manus.im/oauth-apps/connector-consent?client_id={client_id}

App skills

OAuth apps can bundle private skills (up to 50 per app) that are automatically available to Manus in tasks created by the app. Manage skills from the Manus Integrations settings. To customize which skills are available for a specific task, pass skill IDs in message.enable_skills when calling task.create or task.sendMessage. To force Manus to use specific skills, pass them in message.force_skills.

App webhook

Each OAuth app can configure a dedicated webhook URL to receive event notifications. Set the webhook URL in the Manus Integrations settings. The URL must be HTTPS. See the Webhooks guide for event types and the Webhook Security guide for signature verification.

Secret management

Each app can have up to 5 active client secrets, enabling zero-downtime rotation. Create and revoke secrets from the Manus Integrations settings.
1

Create a new secret

Generate a new secret in the settings page. The secret is shown in plaintext — this is the only time it’s visible.
2

Update your application

Configure your app to use the new secret.
3

Verify

Confirm the new secret works in production.
4

Revoke the old secret

Revoke the old secret in the settings page. It is immediately invalidated.

Rate limits

EndpointLimit
POST /oauth/token60 / min per client_id
POST /oauth/revoke60 / min per client_id
Exceeding the limit returns HTTP 429 Too Many Requests.

Error handling

Token endpoint errors (/oauth/token and /oauth/revoke)

errorHTTP statusDescription
invalid_request400Missing or malformed parameters
invalid_client401Invalid client_id or client_secret
invalid_grant400Code is invalid, expired, or already used
unsupported_grant_type400Unsupported grant_type value
invalid_scope400Requested scope not configured on the app
server_error500Internal server error
{
  "error": "invalid_grant",
  "error_description": "authorization grant is invalid or expired"
}
All responses include an X-Request-Id header for troubleshooting.

Insufficient scope

When calling an OpenAPI v2 endpoint without the required scope: 
{
  "code": "permission_denied",
  "message": "insufficient_scope: required one of [create_task, manage_all_tasks]"
}

Best practices

  1. Store secrets securely. client_secret is only shown once at creation. Use a secrets manager — never hardcode it.
  2. Request minimal scopes. Only request what your app actually needs. Avoid manage_all_tasks unless you truly need access to all user tasks.
  3. Implement token refresh. Access tokens expire in 24 hours. Use the refresh token to renew automatically.
  4. Handle token invalidation gracefully. On 401, try refreshing. If refresh fails, redirect the user to re-authorize.
  5. Rotate secrets regularly. Use multi-secret support for zero-downtime rotation.
  6. Prefer PKCE for client-side apps. Native apps and SPAs should use PKCE — never embed a client_secret in client-side code.
  7. Validate the state parameter. Always verify state on the callback to prevent CSRF attacks.
  8. Implement backoff on 429. Token endpoints are limited to 60 req/min. Use exponential backoff with jitter.