Treat your API key like a password.It can be used to run your AI Actions.For example: if you set up a “Gmail: Find email” action, anyone with your API key can read all your email.
Your OAuth client can be used with the PKCE flow to authenticate with AI Actions using a Bearer token.To begin this process, you first need to generate a code verifier and a code challenge.Here is some sample code in TypeScript to do this:
Copy
Ask AI
/* * https://nodejs.org/api/crypto.html#cryptogetrandomvaluestypedarray * * Store the verifier securely, as it will be needed later * * @returns Verifier to use when getting a token */const generateVerifier = () => { const array = new Uint32Array(28); crypto.getRandomValues(array); return Array.from(array, (item) => `0${item.toString(16)}`.slice(-2)).join( "", );};/** Base64 URL encode a buffer */const base64URLEncode = (buffer: ArrayBuffer) => { const uint8Array = new Uint8Array(buffer); const base64String = btoa(String.fromCharCode(...uint8Array)); return base64String .replace(/\+/g, "-") .replace(/\//g, "_") .replace(/=+$/, "");};/** * @param verifier Verifier from `generateVerifier` * @returns Base64 URL encoded SHA-256 hash of the verifier */const generateCodeChallenge = async (verifier: string) => { const encoder = new TextEncoder(); const data = encoder.encode(verifier); const hashBuffer = await crypto.subtle.digest("SHA-256", data); return base64URLEncode(hashBuffer);};
Make sure to store the verifier securely! It will be needed when returning to
your site after authenticating with AI Actions
You can then send the user to AI Actions to see your OAuth consent screen:
After the user has authorized your app, they will be redirected to the redirect_uri you provided with a code query parameter.You can then exchange this code for a token, using the verifier that you generated previously:
interface OAuthAccessToken { /** JWT with user info */ id_token: string; /** Token that can be used with the `Authorization: Bearer ...` header */ access_token: string; /** Token that can be used to get a new access token */ refresh_token: string; /** Number of seconds until the token expires */ expires_in: number; token_type: "Bearer"; scope: "openid nla:exposed_actions:execute";}
The access_token can then be used to make API calls to AI Actions:
Copy
Ask AI
curl -X GET "https://actions.zapier.com/api/v2/auth/check" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Since your users may not already have a Zapier account, we offer a quick account creation flow that allows users to create a Zapier account and connect their account to your app in one step.To use this flow, first generate the /oauth/authorize URL as outlined above.Then, get the account creation URL for your OAuth client:
When you send a user to the provided login_link, they will go through a quick Zapier account creation flow. If the provided email address is already associated with a Zapier account, they will be asked to log in.
Users will receive a follow-up email from Zapier to confirm their email address and to let them set a password for the account.The user will then see the AI Actions OAuth consent screen and be redirected back to your redirect_uri with a code query parameter, which can be exchanged for an access token as outlined above.
After expires_in seconds, the access_token will expire. To get a new token, you can use the refresh_token that was returned when you got the original token:
