OAuth2: Client credentials grant


This is very similar to the auth code flow use OAuth2 based authentication as it ensures high security.

For this, you'll need to create an OAuth app with the third party service.

You will then need:

  1. client ID and client secret of the OAuth app

  2. authentication URL and access token URL of your third party service

Authentication Demo: Twitch

To demonstrate how to set up an OAuth2 service with Client credentials grant flow, this demo will use the Twitch API docs for the remainder of this example.

Note for Parameterization

Parameterization allows you to provide the values for fields like Client Id, Client Secret and the API url at the time of creating authentications. It adds:

  1. reusability as you can use different OAuth apps in different integrations by creating a single service

  2. security as you don't have to expose the values in the services page and you will only feed them while creating the auth.

Here's an example on how it can make your service reusable:

Shopify has custom URL for domains, you can parameterize the url in the OAuth 2 settings by passing a placeholder as: {{shopify_url}}

Now you can add the same placeholder value below in the 'Authentication parameters' section

NOTE: The unique property key has to match the placeholder value you passed in the settings.

Redirect URL note for embedded

If you need a white-labelled solution, you can add another redirect URL <Your_org_name_here>.integration-authentication.com/oauth2/token

Example: acme.integration-authentication.com/oauth2/token

Your first redirect URL should still be auth.tray.io/oauth2/token followed by acme.integration-authentication.com/oauth2/token in second place. If the service doesn't support more than one redirect URL, check out two workarounds here.

The above URL will replace the redirect URI query parameter in the config wizard/auth-only domain when your end users configure their solution instances.

If you wish to have your self-hosted redirect URL, please contact support as it would require setup from our side.