Thanks for your patience! I met with one of our backend engineers today and got some clarity on several of your questions.
For your question about programmatically creating OAuth apps with the API, we’d recommend checking out this post on reverse engineering our UI in cases where there are no OpenAPI docs: [Support Guide] Understanding and using Netlify's API If you watch the call we make in the UI when creating an OAuth app, you’ll see that it’s a POST with a JSON body to
api.netlify.com/api/v1/oauth/applications. The caveat with calls that aren’t documented is that the routes could change, but that route is an OAuth standard and not Netlify-specific… so less likely to change than some others!
These are some of the other routes we use: https://doorkeeper.gitbook.io/guides/ruby-on-rails/routes
You asked about
ticket is a special kind of abstraction within the Netlify CLI. The reason we use it there, and the reason we need to poll to see if the user has authorized, is because the CLI doesn’t have a direct way to communicate with the browser. But this is not the typical way to do OAuth. If your authorization is all happening within the context of a browser, you should do something more like what’s described in this blog post:
The code is linked in there but in case you just wanna dive in:
Please let us know if that helps or if you have other questions about this!