Auth
DYNAM access has two separate decisions: your app or server must be approved, and the licensing basis must match how you use the data.
Models
| Model | Licensing basis | Use when | Request details |
|---|---|---|---|
| API token + IP allowlist | Seat/account based | Your backend fetches, caches, or processes DYNAM data | Server IPs, expected countries, expected traffic |
| End-user OAuth | End user’s personal DYNAM rights | Your browser/native app lets each user sign in with EasyVFR | Redirect URIs, public/confidential client type, direct-client use case |
| Application token | Seat/account based app identity | A managed integration needs signed app identity instead of OAuth | App name, environments, rotation plan |
End-user OAuth
End-user OAuth is the normal model for approved client apps that call DYNAM directly for a signed-in user.
Flow:
- Register your OAuth client with the EasyVFR team.
- Your client is approved for the
dynamscope. - The user signs in at
https://auth.easyvfr.app/oauth/authorize. - Your app exchanges the code at
https://auth.easyvfr.app/oauth/token. - Call DYNAM with
Authorization: Bearer <access_token>.
Approval of your OAuth client does not grant data for all users. Each user still needs personal DYNAM Data API rights. If the user has no rights, DYNAM returns 403.
OAuth discovery:
OAuth discovery lives on the Auth API host, not the DYNAM Data API host:
https://auth.easyvfr.app/.well-known/oauth-authorization-serverhttps://auth.easyvfr.app/.well-known/openid-configuration
Do not append /.well-known/... or /oauth/... to the DYNAM Data API base URL; those paths belong to the Auth API host.
Recommended authorize parameters:
response_type=code
client_id=YOUR_CLIENT_ID
redirect_uri=YOUR_REGISTERED_REDIRECT_URI
scope=dynam
state=OPAQUE_STATE
code_challenge=PKCE_CHALLENGE
code_challenge_method=S256Browser/native apps should use PKCE. Confidential backend clients may use a client secret where issued.
Server-to-server
Server-to-server access uses an API token from your backend and may be restricted by IP allowlist. Use this when you process or cache DYNAM data on infrastructure you control.
curl \
-H "Authorization: Bearer $DYNAM_API_TOKEN" \
"https://dynam.easyvfr.stream/api/v1/data/airspaces?countries=NL,BE,DE&scope=dynam"Treat the token as a deployment secret. Do not ship it in a browser or native app.
Application tokens
Application tokens are approved app identities signed with X-App-Auth.
They are seat/account based and intended for managed integrations. They can carry a user id for audit or routing, but they are not the standard model for public client-direct End-user OAuth access.
Scopes and rights
dynamis the public third-party DYNAM data scope.staticis internal-only for NOTAMbriefing.com.profileis only needed if your app calls/oauth/userinfo.offline_accessis only needed when your approved client should receive refresh tokens.- Existing generic scopes such as
readorwritedo not imply DYNAM access. - DYNAM End-user OAuth checks the
dynam_data_api_end_userplatform right and theDYNAMAirspacesNOTAMsGeoJSONdataset right.
Common failures
| Status | Meaning | Fix |
|---|---|---|
401 | Missing, expired, or invalid credential | Refresh the token or check server credentials |
403 token_scope_missing | Token does not include dynam | Request the dynam scope during OAuth |
403 client_not_approved_for_dynam | OAuth client is not approved for direct DYNAM access | Request approval for the client |
403 dynam_dataset_right_missing | User does not have personal DYNAM rights | Ask the user to sign in with an entitled EasyVFR account |
403 for scope=static | Static scope is internal-only | Use scope=dynam or omit scope |
Next
- Quickstart - first request.
- MapLibre/Mapbox - render the GeoJSON.
- Request access - managed intake for this environment.