> ## Documentation Index > Fetch the complete documentation index at: https://developers.kit.com/llms.txt > Use this file to discover all available pages before exploring further. # OAuth refresh token flow This guide will help you understand how to set up a standard refresh token flow for an OAuth app. For more details on which flow to use or how to set up your OAuth app within Kit, please refer to the [more general "Authentication" guide](/api-reference/authentication). We also offer example OAuth implementations that can be viewed below: View Oauth2 strategy for Kit on Github See an example of authenticating with [Kit's OAuth Server in Node.js here](https://github.com/Kit/app-demos/tree/17077153aed0fc2475054e267813c2a3f147195e/oauth-express) ## OAuth refresh token flow When a user installs your app from the Kit App Store, Kit redirects them to the `Authorization URL` you've configured. ``` https://example.com/kit/oauth?redirect=https://app.kit.com/apps/1?success=true ``` From here, your app should present the user a screen to sign in (or sign up). Kit will append a redirect query parameter to your Authorization URL that you will need to save in order to complete the flow. After the user successfully authenticates with your app, redirect them to Kit's OAuth server to request their identity. The value supplied to redirect\_uri must be one of the Redirect URIs configured in your app's settings, found on the *Distribution* tab. ```http theme={null} https://api.kit.com/v4/oauth/authorize? client_id=YOUR_CLIENT_ID& response_type=code& redirect_uri=https://oauth2.example.com/callback& state=DEF456 ``` Your app's Client ID `code` URI to redirect to Default scope is `public`. Fine-grained access control via scopes coming soon. Custom state to pass to the `redirect_uri` and/or to protect from XSRF Unique, human-readable identifier for a tenant of a multi-tenant app. Found on the "Authentication" tab in your app settings: Example Kit app configuration Kit will present a consent screen that asks the user to grant or refuse your app access to their account. Kit OAuth page If the user grants access, Kit redirects the user back to the `redirect_uri` you provided when requesting the user's identity in step 2.

Kit appends a `code` query param with a temporary authorization code.

Kit also appends a state query param with the same value sent in the authorization request. This check helps verify that the user, not a malicious script, is making the request and reduces the risk of CSRF attacks. ``` https://oauth2.example.com/callback? code=mrApixZzMPnYO28KoeIZxn2mvom1Tx48S9iyrQVYVE8& state=DEF456 ``` Your app uses the authorization code provided to obtain a refresh and access token. ``` POST https://api.kit.com/v4/oauth/token ``` With a body like so: ```json theme={null} { "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "grant_type": "authorization_code", "code": "abc123", "redirect_uri": "https://oauth2.example.com/callback" } ``` Your app's Client ID Your app's Client Secret `authorization_code` The code received via the redirect uri query params The redirect URI the request is coming from (must be one of your app's redirect URIs) ```shell shell theme={null} curl -X POST https://api.kit.com/v4/oauth/token \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{ "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "grant_type": "authorization_code", "code": "abc123", "redirect_uri": "https://oauth2.example.com/callback" }' ``` ```javascript Javascript theme={null} const headers = { 'Content-Type':'application/json', 'Accept':'application/json' }; const inputBody = '{ "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "grant_type": "authorization_code", "code": "abc123", "redirect_uri": "https://oauth2.example.com/callback" }'; fetch('https://api.kit.com/v4/oauth/token', { method: 'POST', body: inputBody, headers: headers }) .then(function(res) { return res.json(); }).then(function(body) { console.log(body); }); ``` ```ruby Ruby theme={null} require 'rest-client' require 'json' headers = { 'Content-Type' => 'application/json', 'Accept' => 'application/json' } payload = { "client_id" => "YOUR_CLIENT_ID", "client_secret" => "YOUR_CLIENT_SECRET", "grant_type" => "authorization_code", "code" => "abc123", "redirect_uri" => "https://oauth2.example.com/callback" } result = RestClient.post 'https://api.kit.com/v4/oauth/token', payload, params: { }, headers: headers p JSON.parse(result) ``` ```python Python theme={null} import requests headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' } json = { "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "grant_type": "authorization_code", "code": "abc123", "redirect_uri": "https://oauth2.example.com/callback" } r = requests.post('https://api.kit.com/v4/oauth/token', headers = headers, json = json) print(r.json()) ``` **200**: Returns a token ```json theme={null} { "access_token": "YOUR_ACCESS_TOKEN_HERE", "token_type": "Bearer", "expires_in": 172800, "refresh_token": "YOUR_REFRESH_TOKEN_HERE", "scope": "public", "created_at": 1710270147 } ```

Response schema: *application/json*

Access token that can be used to make API requests on behalf of the authenticated user `Bearer` When the access token expire in seconds Refresh token that can be used to generate a new access token once this one expires The scopes available for the access token When the access token was created Now that the user has completed the OAuth flow, your app must send the the user back to Kit using the `redirect` parameter provided at the beginning of the flow.

This will ensure the user properly navigates back to your app inside of Kit and registers that the app has been installed.

If you have set up the `Redirect URL after install` field in your app's settings, a modal prompting creators to continue their journey on your configured site will appear at this point. See this section in the [app details page guide](/kit-app-store/app-details-page#how-to-configure) for more details. example redirect flow Your app can now make calls to Kit's API on behalf of the user by passing a `Authorization` header with the token as a `Bearer` value. ```shell shell theme={null} curl -X GET https://api.kit.com/v4/account \ -H 'Accept: application/json' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN_HERE' ``` ```javascript Javascript theme={null} const headers = { 'Accept':'application/json', 'Authorization':'Bearer YOUR_ACCESS_TOKEN_HERE' }; fetch('https://api.kit.com/v4/account', { method: 'GET', headers: headers }) .then(function(res) { return res.json(); }).then(function(body) { console.log(body); }); ``` ```ruby Ruby theme={null} require 'rest-client' require 'json' headers = { 'Accept' => 'application/json', 'Authorization' => 'Bearer YOUR_ACCESS_TOKEN_HERE' } result = RestClient.get 'https://api.kit.com/v4/account', params: { }, headers: headers p JSON.parse(result) ``` ```python Python theme={null} import requests headers = { 'Accept': 'application/json', 'Authorization': 'Bearer YOUR_ACCESS_TOKEN_HERE' } r = requests.get('https://api.kit.com/v4/account', headers = headers) print(r.json()) ``` The access token will eventually expire and a new one must be obtained using the refresh token obtained earlier. To do this, make a `POST` call to `https://api.kit.com/v4/oauth/token`, with the following body: ```json theme={null} { "client_id": "YOUR_CLIENT_ID", "grant_type": "refresh_token", "refresh_token": "abc123" } ``` Your app's Client ID `refresh_token` The refresh token ```shell shell theme={null} curl -X POST https://api.kit.com/v4/oauth/token \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{ "client_id": "YOUR_CLIENT_ID", "grant_type": "refresh_token", "code": "abc123" }' ``` ```javascript Javascript theme={null} const headers = { 'Content-Type':'application/json', 'Accept':'application/json' }; const inputBody = '{ "client_id": "YOUR_CLIENT_ID", "grant_type": "refresh_token", "code": "abc123" }'; fetch('https://api.kit.com/v4/oauth/token', { method: 'POST', body: inputBody, headers: headers }) .then(function(res) { return res.json(); }).then(function(body) { console.log(body); }); ``` ```ruby Ruby theme={null} require 'rest-client' require 'json' headers = { 'Content-Type' => 'application/json', 'Accept' => 'application/json' } payload = { "client_id" => "YOUR_CLIENT_ID", "grant_type" => "refresh_token", "code" => "abc123" } result = RestClient.post 'https://api.kit.com/v4/oauth/token', payload, params: { }, headers: headers p JSON.parse(result) ``` ```python Python theme={null} import requests headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' } json = { "client_id": "YOUR_CLIENT_ID", "grant_type": "refresh_token", "code": "abc123" } r = requests.post('https://api.kit.com/v4/oauth/token', headers = headers, json = json) print(r.json()) ``` **200**: Returns a token ```json theme={null} { "access_token": "YOUR_NEW_ACCESS_TOKEN_HERE", "token_type": "Bearer", "expires_in": 7200, "refresh_token": "YOUR_NEW_REFRESH_TOKEN_HERE", "scope": "public", "created_at": 1710271006 } ```

Response schema: *application/json*

Access token that can be used to make API requests on behalf of the authenticated user `Bearer` When the access token expire in seconds Refresh token that can be used to generate a new access token once this one expires The scopes available for the access token When the access token was created