Register an OAuth application in the Calendly developer portal to obtain a client_id and client_secret; set an HTTPS redirect_uri for production (localhost HTTP is permitted only in sandbox).
Redirect users to the authorization endpoint: GET https://auth.calendly.com/oauth/authorize with query params client_id, response_type=code, and redirect_uri; the authorization code returned in the redirect expires after 10 minutes.
Exchange the code for tokens via POST https://auth.calendly.com/oauth/token with grant_type=authorization_code, client_id, client_secret, code, and redirect_uri in the request body.
Store the returned access_token and refresh_token securely; use the access_token as a Bearer token in the Authorization header for all API calls to api.calendly.com.
Refresh tokens by POSTing to https://auth.calendly.com/oauth/token with grant_type=refresh_token and the stored refresh_token before the access token expires.
Known gotchas
Calendly API v1 was permanently shut down August 27, 2025; v1 API keys are invalid — only v2 OAuth 2.0 or personal access tokens are accepted.
For mobile or native apps, include a PKCE code_challenge (method S256) in the authorization request to avoid exposing the client_secret.
Authorization codes are single-use and expire after 10 minutes; caching or reusing a code returns a 400 invalid_grant error.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp