# Authentication

SiteShot agent actions use OAuth 2.0 authorization code flow with scoped access tokens.

ChatGPT Actions should be configured as a confidential OAuth client with a client secret. The SiteShot ChatGPT Actions flow does not require PKCE.

Required scopes:

- `account:read`: read profile and subscription status.
- `usage:read`: read screenshot usage and quota summary.
- `billing:checkout`: create Stripe Checkout Sessions.
- `api_key:read`: explicitly reveal the full screenshot API key.

ChatGPT Actions should import `/openapi.json` and use the OAuth configuration from the `SiteShotOAuth` security scheme.