Does Calendly use an API key or OAuth?

Both. For a single account you create a Personal Access Token (PAT) under Integrations & apps → API & webhooks. OAuth 2.1 is used when you build a public app many Calendly users connect to. For connecting one account to Outloop, a personal access token is the simplest path.

What is the safest first request to test Calendly access?

GET /users/me. It returns the current user and confirms the token works without creating or changing any Calendly data. A real Outloop proof shows the request went through the API Bridge with decision allow, HTTP 200, an audit entry, and secret_exposed:false.

Can Outloop run Calendly write actions like creating a scheduling link?

Calendly supports writes such as POST /scheduling_links and POST /webhook_subscriptions, and Outloop can route approved POST requests when the workspace policy allows POST. Those writes are supported but should only be marked runtime-verified after a safe write proof succeeds through Outloop. Booking a real invitee uses the newer Scheduling API and requires OAuth plus a paid plan, not a personal access token.

Is the official Calendly MCP the same as connecting the API through Outloop?

No. An official Calendly MCP exists (mcp.calendly.com, OAuth-based), but in this workspace it is not connected. The live, verified Calendly path here is the API through Outloop, which keeps the raw token out of the agent and adds audit and workspace-level routing.

Learn · Setup guides

Connect Calendly API to Outloop

Last updated: June 15, 2026

In short

Connect the Calendly API without exposing your token to your agents.

Outloop lets your agents use approved Calendly API access through a secure local bridge. You create a Calendly personal access token, choose its scopes, and store it in Outloop — the token stays in your local secret store, and agents call the Calendly API through Outloop without ever seeing the raw token.

Summarize this setup guide with AI ChatGPT Claude Perplexity

What this setup gives you

Agents that need Calendly access — to read your account, list event types, or create a scheduling link — usually get a raw token pasted into a tool, a chat, or a .env file. With Outloop, the personal access token stays in your local secret store (macOS Keychain) and the agent requests the action through the API Bridge instead, so it never sees the raw token. The credential is used on the wire host-side; the agent uses its capability without ever seeing its value.

Security rule. Never paste API keys, personal access tokens, Authorization headers, or personal emails into chat, screenshots, docs, .env files, project folders, or generated artifacts. The token's only destination is the Outloop API key field.

What you need before starting

✓A Calendly account with access to Integrations & apps.
✓Permission to create a personal access token (admin tokens grant organization-wide access).
✓Outloop installed locally.
✓A client workspace connected in Outloop.

1. Open Integrations & apps → API

In Calendly, open Integrations & apps from the left sidebar.

Calendly left sidebar with Integrations and apps highlighted, on the Scheduling screen.

Switch to the Manage tab and open the API and webhooks card.

Calendly Integrations and apps Manage tab with the API and webhooks card highlighted.

2. Create a personal access token

On Your personal access tokens, click Create a token. You can generate up to ten tokens.

Calendly Your personal access tokens page with the Create a token button highlighted.

Note. A personal access token created as an admin grants access to Calendly data for everyone in your organization. Create it deliberately and scope it to what the agent actually needs.

3. Name the token and choose scopes

Give the token an identifiable name — a good convention is to match the name Outloop suggests, so the same key is easy to recognize on both sides. Then choose the scopes that define what the token can access. Selecting all scopes gives the broadest access; for a read-only proof you only need read scopes.

Calendly Create a personal access token dialog showing the token name field and Scheduling, User management, Contacts, and Security and Compliance scopes selected.

Tip. Newer Calendly tokens grant no access until scopes are selected. Pick the minimum the agent needs — you can create another token later for broader access.

4. Copy the token

Calendly shows the token once. Click Copy token and keep it on the clipboard — you will paste it into Outloop in a moment, not into any file or chat.

Calendly Create a personal access token confirmation with the masked token and the Copy token button highlighted.

Important. You will not be able to view the token again. If you lose it, revoke it and create a new one. Never store it in plaintext.

5. Add the Calendly key in Outloop

In Outloop, open Add an API key, choose Calendly as the service, and pick the client workspace that should get access. Outloop suggests a key name — copy it so you can name the key the same on both sides. Adding the key configures the bounded API bridge to https://api.calendly.com with the documented auth, and the agent never sees the key.

Outloop Add an API key panel with Calendly selected, a client workspace chosen, and the suggested key name shown.

6. Paste the token and add the key

Paste the Calendly token into the API key field and click Add API Key. Outloop stores it in macOS Keychain for that client workspace and never shows it again. To let an agent use it, turn on Runtime access on the key row after adding — it is never auto-enabled.

Outloop workspace key row with Calendly selected and the masked token pasted, ready to click Add API Key.

7. First safe proof (read-only)

Always prove access with a read first. Copy the test prompt from the Calendly key row and run it in your agent. The safe proof calls:

GET /users/me

Outloop workspace showing the Calendly API bridge enabled, read-only, secret exposed false, with the Copy test prompt button highlighted.

A successful, verified Outloop proof looks like this:

Calendly API access through Outloop
GET /users/me
HTTP 200
decision: allow / OK
secret_exposed: false
runtime_verified: yes
audit entry exists

Agent chat showing the Outloop Calendly access proof results: decision allow, HTTP 200, service calendly, secret exposed false, runtime verified.

We use GET /users/me for the first proof because it confirms access without changing Calendly data.

8. What the Calendly API can do

The first proof is read-only, but the integration is not limited to reads. The Calendly API (v2) covers a broad surface. Common reads include:

GET /users/me            — the current user (the safe proof)
GET /event_types         — list event types
GET /scheduled_events    — list scheduled events
GET /organization_memberships?organization=<org_uri>  — list members

Gotcha. Calendly resource identifiers are full URIs, not bare UUIDs. Pass owner=https://api.calendly.com/event_types/<id>, not just the UUID. Rate limits are about 60 requests per minute on standard plans; honor the Retry-After header on a 429. Build only on API v2.

9. Write actions and the safe next proof

Calendly also supports write actions, and Outloop can route approved POST requests through the API Bridge when the workspace policy allows POST. Notable writes:

POST /scheduling_links        — create a single-use scheduling link
POST /webhook_subscriptions   — create a webhook subscription

The safest write to test first is POST /scheduling_links with max_event_count: 1: it mints a disposable, single-use link, does not book a meeting by itself, and proves POST works through Outloop without creating a real invitee or webhook.

What the API does not do. You cannot create event types or set availability through the API — those are configured in the Calendly UI. Booking a real invitee uses the newer Scheduling API and requires OAuth plus a paid plan, not a personal access token — so it is not a simple bridge write.

Approval rule. Test write actions only when you explicitly approve them, because they may create real links or webhooks. Never auto-run a write during an access check.

10. Verified vs not claimed yet

To keep this honest, here is exactly what is proven and what is not:

Verified Calendly read access through Outloop: GET /users/me returned HTTP 200 with decision allow, an audit entry, and secret_exposed: false.
Supported, not verified yet Calendly write actions (for example POST /scheduling_links): supported by the API and permitted through bridge policy for POST, but not yet runtime-verified in this guide.
Not connected here The official Calendly MCP: it exists, but it is not connected or verified in this workspace.

Do not claim yet. "Calendly write actions are runtime-verified through Outloop" — only after one approved POST proof succeeds with an expected success status (HTTP 201), decision allow, secret_exposed: false, and an audit entry.

11. Calendly API Bridge vs Calendly MCP

Calendly offers both an API and an official MCP. In this workspace, the live, verified path is the Calendly API through Outloop. The API through Outloop is usually more stable, auditable, tenant-scoped, and governable; an MCP can be useful, but we only mark it verified when it is actually connected and tested here — and it is not.

API Bridge: Live now Verified in this guide Audited Secret-safe Workspace-scoped

MCP: Official MCP exists Not connected here Not verified in this guide

For this workspace, the Calendly API through Outloop is the only Calendly path that is live and verified right now.
Area	Calendly API through Outloop	Calendly MCP
Live in this workspace	Live now The API path is the only Calendly path connected here.	Not connected here An official MCP exists at mcp.calendly.com, but it is not connected in this workspace.
Verified in this guide	Verified in this guide Proven with a real Outloop read proof.	Not verified here
Auth model	Personal access token stored in Outloop / macOS Keychain, injected host-side.	OAuth 2.1 + PKCE with dynamic client registration (a connector/session flow).
Raw secret exposure to the agent	Secret-safe Outloop keeps the raw token out of chat, files, and agent context.	Depends on the connector/OAuth session model.
Audit trail	Audited Every API Bridge request is auditable through Outloop.	Not through Outloop.
Workspace / tenant routing	Workspace-scoped Outloop enforces workspace-aware access boundaries.	Not through Outloop.
Read actions	Verified GET /users/me proven live here.	Not verified here
Write actions	Supported, not verified yet POST is permitted by bridge policy; not runtime-verified until a safe write proof succeeds.	Likely supported The official MCP lists write tools, but nothing is verified here.
API surface	The full documented Calendly REST v2 surface.	A curated tool set (about 44 tools).
Stability	Predictable token-based access.	Can depend on connector/session state.
Best fit	Governed, repeatable client and workspace workflows.	Convenience when a connected MCP is already working.

Honesty note. This comparison is intentionally conservative. The official Calendly MCP appears to expose a broad toolset, but it is not connected in this workspace, so this guide does not mark MCP capabilities as verified. By contrast, the Outloop API Bridge is live and verified here.

12. Troubleshooting

If the proof fails, check:

→The token was copied in full and pasted only into the Outloop API key field.
→The token has the scopes the request needs (a read proof needs read scopes).
→Runtime access is turned on for the Calendly key row.
→The request path is under https://api.calendly.com and you did not send your own Authorization header — Outloop injects it host-side.
→The workspace in Outloop is the correct one for this client.

Common mistake. Assuming a result from the Calendly UI, an MCP, an SDK, or a browser connector proves Outloop access. A connection is only verified if the request goes through Outloop and returns an API Bridge result with an audit entry, decision allow, an HTTP success, and secret_exposed: false.

Outloop is in commercial beta (controlled design-partner prep). Outloop is an independent tool and is not affiliated with or endorsed by Calendly. See the security model, or the Zoho CRM API setup guide.