The following guide helps guide you through the endpoints required for plugin authorization. For more details on setting up app authorization flows as a whole, check out our app authentication guide here.

Plugin OAuth server setup

For OAuth, you’ll need to support 4 endpoints:

  • Getting an authorization code grant
  • Requesting an access token using an authorization code
  • Requesting an access token using a refresh token
  • Revoking an access token

The endpoints must accept the requests outlined below and return responses minimally matching the outlined response shapes (additional attributes can be returned but we require at least what appears in these docs).

The redirect URI we’ll use for all of our requests will be https://app.kit.com/apps/install.

We’ll use Bearer Authorization to include the user’s access token on all the requests we make to your endpoints.

A diagram for this flow for apps that only require Plugin OAuth authentication can be found below. For guidance on apps that also require API authentication, also check out the app authentication guide here..

Get an authorization code grant

We will start the OAuth process by making a GET request to your provided aurthorization URL:

GET <YOUR_CONFIGURED_AUTHORIZATION_URL>?
  client_id=<YOUR CONFIGURED CLIENT ID>&
  response_type=code&
  redirect_uri=https://app.kit.com/apps/install

Get a new token using an authorization code

We will then exchange the returned authorization code for a new access token by making a POST to your configured token URL, with a body like so:

{
  "client_id": "<YOUR CONFIGURED CLIENT ID>",
  "client_secret": "<YOUR CONFIGURED CLIENT SECRET>",
  "grant_type": "authorization_code",
  "code": "abc123",
  "redirect_uri": "https://app.kit.com/apps"
}

Get a new token using a refesh token

When the previous access token expires, we will request a new access token by making a POST to your configured refresh token URL, with a body like so:

{
  "client_id": "<YOUR CONFIGURED CLIENT ID>",
  "grant_type": "refresh_token",
  "refresh_token": "string"
}

Revoke an access token

When your app is uninstalled by a creator, we will make a POST request to your revoke token URL, with a body like so:

{
  "client_id": "<YOUR CONFIGURED CLIENT ID>",
  "client_secret": "<YOUR CONFIGURED CLIENT SECRET>",
  "token": "abc123"
}

App configuration for OAuth

To set OAuth up for your app, go to the “Authentication” tab on your app, toggle on the “Plugin” section and select “OAuth” from the “Authorization method” dropdown:

This will expand the section and offer the fields to add your:

  • Authorization URL
  • Token URL
  • Refresh token URL
  • Revoke URL

as well as the “Client ID” and “Client secret” fields for us to authenticate with your service:

Once all of the fields are filled out, click save and OAuth will be set up for all plugins you create for the app.

Post-installation redirect

Your app may also include the option to alternatively send creators to your app, or an externally hosted onboarding flow, post signup. This can be configured using the Redirect URL after install field in your app details setting page. An example of this flow can be seen below.