This guide will help you understand how to set up a PKCE OAuth flow for your Kit app. For more details on which flow to use or how to set up your OAuth app within Kit, please refer to the more general “Authentication” guide.
User initiates install from Kit's App Store
When a user installs your app from the Kit App Store, Kit redirects them to the Authorization URL
you’ve configured.
From here, your app should present the user a screen to sign in (or sign up).
App generates code verifier and challenge
efore redirecting the user to the authorization server, the app must first generate a secret code verifier and challenge.
The code verifier is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
Once the app has generated the code verifier, it uses that to create the code challenge. The code challenge is a BASE64-URL-encoded string of the SHA256 hash of the code verifier.
The app will need to store the code_verifier
for later use.
App requests user's Kit identity
After the user successfully authenticates with your app and the code verifier and challenge have been generated, redirect them to Kit’s OAuth server to request their identity.
Example redirect
Query parameters
Your app’s Client ID
code
URI to redirect to
A BASE64-URL-encoded string of the SHA256 hash of the code_verifier
S256
Default scope is public
. Fine-grained access control via scopes coming soon.
Custom state to pass to the redirect_uri
and/or to protect from XSRF
Unique, human-readable identifier for a tenant of a multi-tenant app.
Example Kit app configuration
Found on the “Authentication” tab in your app settings:
Kit prompts user for consent
Kit will present a consent screen that asks the user to grant or refuse your app access to their account.
Example Kit app OAuth page
Kit redirects to App OAuth callback with authorization code
If the user grants access, Kit redirects the user back to the redirect_uri
you provided when requesting the user’s identity in step 2.
Kit appends a code
query param with a temporary authorization code.
Example redirect
App exchanges authorization code for refresh and access tokens
Your app uses the authorization code provided to obtain a refresh and access token.
With a body like so:
Query parameters
Your app’s Client ID
A cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
authorization_code
The code received via the redirect uri query params
The redirect URI the request is coming from (must be one of your app’s redirect URIs)
Code samples
Example response
200: Returns a token
Response schema: application/json
Access token that can be used to make API requests on behalf of the authenticated user
Bearer
When the access token expire in seconds
Refresh token that can be used to generate a new access token once this one expires
The scopes available for the access token
When the access token was created
App redirects user back to Kit
Now that the user has completed the OAuth flow, your app must send the the user back to Kit using the redirect
parameter provided at the beginning of the flow.
This will ensure the user properly navigates back to your app inside of Kit and registers that the app has been installed.
Redirect URL after install
field in your app’s settings, a modal prompting creators to continue their journey on your configured site will appear at this point. See this section in the app details page guide for more details.Example redirect flow
App uses access token to make Kit API calls
Your app can now make calls to Kit’s API on behalf of the user by passing a Authorization
header with the token as a Bearer
value.
Code samples
App uses refresh token to obtain new access token after expiration
The access token will eventually expire and a new one must be obtained using the refresh token obtained earlier. To do this, make a POST
call to https://app.kit.com/oauth/token
, with the following body:
Query parameters
Code samples
Example response
200: Returns a token
Response schema: application/json
Access token that can be used to make API requests on behalf of the authenticated user
Bearer
When the access token expire in seconds
Refresh token that can be used to generate a new access token once this one expires
The scopes available for the access token
When the access token was created
This guide will help you understand how to set up a PKCE OAuth flow for your Kit app. For more details on which flow to use or how to set up your OAuth app within Kit, please refer to the more general “Authentication” guide.
User initiates install from Kit's App Store
When a user installs your app from the Kit App Store, Kit redirects them to the Authorization URL
you’ve configured.
From here, your app should present the user a screen to sign in (or sign up).
App generates code verifier and challenge
efore redirecting the user to the authorization server, the app must first generate a secret code verifier and challenge.
The code verifier is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
Once the app has generated the code verifier, it uses that to create the code challenge. The code challenge is a BASE64-URL-encoded string of the SHA256 hash of the code verifier.
The app will need to store the code_verifier
for later use.
App requests user's Kit identity
After the user successfully authenticates with your app and the code verifier and challenge have been generated, redirect them to Kit’s OAuth server to request their identity.
Example redirect
Query parameters
Your app’s Client ID
code
URI to redirect to
A BASE64-URL-encoded string of the SHA256 hash of the code_verifier
S256
Default scope is public
. Fine-grained access control via scopes coming soon.
Custom state to pass to the redirect_uri
and/or to protect from XSRF
Unique, human-readable identifier for a tenant of a multi-tenant app.
Example Kit app configuration
Found on the “Authentication” tab in your app settings:
Kit prompts user for consent
Kit will present a consent screen that asks the user to grant or refuse your app access to their account.
Example Kit app OAuth page
Kit redirects to App OAuth callback with authorization code
If the user grants access, Kit redirects the user back to the redirect_uri
you provided when requesting the user’s identity in step 2.
Kit appends a code
query param with a temporary authorization code.
Example redirect
App exchanges authorization code for refresh and access tokens
Your app uses the authorization code provided to obtain a refresh and access token.
With a body like so:
Query parameters
Your app’s Client ID
A cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
authorization_code
The code received via the redirect uri query params
The redirect URI the request is coming from (must be one of your app’s redirect URIs)
Code samples
Example response
200: Returns a token
Response schema: application/json
Access token that can be used to make API requests on behalf of the authenticated user
Bearer
When the access token expire in seconds
Refresh token that can be used to generate a new access token once this one expires
The scopes available for the access token
When the access token was created
App redirects user back to Kit
Now that the user has completed the OAuth flow, your app must send the the user back to Kit using the redirect
parameter provided at the beginning of the flow.
This will ensure the user properly navigates back to your app inside of Kit and registers that the app has been installed.
Redirect URL after install
field in your app’s settings, a modal prompting creators to continue their journey on your configured site will appear at this point. See this section in the app details page guide for more details.Example redirect flow
App uses access token to make Kit API calls
Your app can now make calls to Kit’s API on behalf of the user by passing a Authorization
header with the token as a Bearer
value.
Code samples
App uses refresh token to obtain new access token after expiration
The access token will eventually expire and a new one must be obtained using the refresh token obtained earlier. To do this, make a POST
call to https://app.kit.com/oauth/token
, with the following body:
Query parameters
Code samples
Example response
200: Returns a token
Response schema: application/json
Access token that can be used to make API requests on behalf of the authenticated user
Bearer
When the access token expire in seconds
Refresh token that can be used to generate a new access token once this one expires
The scopes available for the access token
When the access token was created