Authenticate with The Zapier Workflow API
Configure a redirect URI
Embed
→ Settings
→ Redirect URIs
Get your Client ID and Client Secret
Embed
→ Settings
→ Credentials
Determine which OAuth scopes are required for your use case
Initiate the OAuth flow and get the user's permission.
Parameter | Meaning |
---|---|
response_type=code | This tells the authorization server that the application is initiating the authorization code flow. |
client_id | The public identifier for your application. This will be the same client id that you retrieved in step #2. |
redirect_uri | Tells Zapier’s authorization server where to send the user back to after they approve the request. This should be the redirect URI that you configured in step #1. |
scope | One or more space-separated strings indicating which permissions your application is requesting. Information on specific scopes required is included within the API reference for each endpoint. |
state | Your application generates a random string and includes it in the request. It should then check that the same value is returned after the user authorizes the app. This is used to prevent CSRF attacks. |
Receive a Redirect at your Redirect URI
redirect_uri
that you specified and configured earlier. Two query string parameters, code
and state
will also be included.For example, the browser would be redirected to:Parameter | Meaning |
---|---|
code | This value is the authorization code generated by Zapier’s authorization server. In the next step, you’ll exchange this code for an access token. Keep in mind that authorization codes are only valid for 2 minutes, and you’ll need to do the exchange within that window of time to avoid errors. |
state | This value should match the state query parameter that you used in step 2. Your application should verify that these values match. |
Exchange authorization code for an access token
POST
request to Zapier’s token endpoint https://zapier.com/oauth/token/
.Below is an example of a request that can be used to do the exchange.Parameter | Meaning |
---|---|
CLIENT_ID | This will be the same client id that you retrieved in step #2. |
CLIENT_SECRET | This is a secret known only to your application and the authorization server. It will be the same client secret that you retrieved in step #2. |
AUTHORIZATION_CODE | This is the authorization code you received in the above step #5. |
REDIRECT_URI | This should be the redirect URI that you configured in step #1. |
client_id
and client_secret
.You’ll recieve a response that looks like this:access_token
that you’ll use to make API request on the user’s behalf, as well as a refresh token.Using the access token
Authorization
header. For example:Refreshing the access token
expires_in
), for security purposes. After that point, any request using that access token will return a 401 status code. To proceed, the refresh token should be exchanged for a new access token and a new refresh token. This will not require any interaction by the user.Below is an example request that can be used:Parameter | Meaning |
---|---|
CLIENT_ID | This will be the same client id that you retrieved earlier. |
CLIENT_SECRET | This is a secret known only to your application and the authorization server. It will be the same client secret that you retrieved earlier. |
REFRESH_TOKEN | This is the refresh token code you received with the access token. |
Get your Client ID and Client Secret
Embed
→ Settings
→ Credentials
Determine which OAuth scopes are required for your use case
Retrieve the app access token
POST
request to Zapier’s token endpoint https://zapier.com/oauth/token/
.Below is an example of a request that can be used to do the exchange.Parameter | Meaning |
---|---|
CLIENT_ID | This will be same client id that you retrieved in step #1. |
CLIENT_SECRET | This is a secret known only to your application and the authorization server. It will be the client secret that you retrieved in step #1. |
SCOPE | This is the one or more scope(s) needed from step #2, separated by spaces. |
client_id
and client_secret
.You’ll recieve a response that looks like this:access_token
that you’ll use to make API request on your app’s behalf.Using the access token
Authorization
header. For example:client_id
to make an authenticated request.
Get your client id
Embed
→ Settings
→ Credentials
Pass the client id as a query parameter
client_id
as a query param to any V1 endpoints that require it.