OAuth v2 authentication matches in appearance the login process users expect from most modern apps.
client_id
and client_secret
are reserved and cannot be used as keys for input form fields.
– Label: A human-friendly name for this field that will be shown to users in the authentication form.
– Required? (checkbox): Check if this field is required for successful authentication.
– Type: All input fields use the string
text field by default; select password
instead if you would like to obscure the data as users enter it.
– Help Text: Include details to assist users in authenticating with your app, especially if they may be unsure where to find the data needed within your app. Format text with Markdown, and include a hyperlink if needed.
– Input Format: (optional) Help users figure out exactly what piece of data you need them to enter. For example, for a subdomain, https://.yourdomain.com/.
– Default Value: Include a value for this field to be used as a fallback. For optional fields, the default value is set on initial connection creation and used in the API call instead of missing or null values every time the Zap runs. For required fields, this value is used during connection creation, but not when the Zap runs (Zapier raises an error for missing/null values instead).
:censored:6:82a3be9927:
. Due to this, it is not possible to view the exact tokens or keys in Zapier’s logs. To verify that the same token as was returned by the authentication, is being used in subsequent API calls; you can compare censored value characters, for example :censored:6:82a3be9927:
would have the same value ending in 9927 when used in a subsequent call.
{{bundle.inputData.redirect_uri}}
{{process.env.CLIENT_SECRET}}
– Client ID: {{process.env.CLIENT_ID}}
code
response type as URL Params in the request to the authorization url. If you need to change that, click the Show Options button and add any additional call details needed.Note: The Oauth2state
param is a standard security feature that helps ensure that authorization requests are only coming from your servers. Most Oauth clients have support for this and will send back thestate
query param that the user brings to your app. The Zapier Platform performs this check and this required field cannot be disabled. The state parameter is automatically generated by Zapier in the background, and can be accessed atbundle.inputData.state
. Since Zapier uses thestate
to verify that GET requests to your redirect URL truly come from your app, it needs to be generated by Zapier so that it can be validated later (once the user confirms that they’d like to grant Zapier permission to access their account in your app).
POST
call.
authorization_code
grant type in the API request body with the access token request. If you need to change that, click the Show Options button and add any additional call details needed.
authData
bundle and can be referenced with {{bundle.authData.access_token}}
or {{bundle.authData.accessToken}}
, depending on how your API’s response references the access token.
/user
or /me
call. Add the URL for the API call, and set the call type, typically a GET
. This will test the user-entered credentials to ensure it enables a successful API call to your app.