OAuth Apps

OAuth 2.0 is a standard that allows applications to access user data on their behalf. OAuth applications used in conjunction with our API and/or webhooks can be a powerful way to create amazing experiences with Glo.


Creating a new OAuth App

To create an OAuth app, visit the OAuth Apps tab under your email on the account page.

  1. Click New OAuth App
  2. Enter in the information into the form
    • App name can be anything but will be displayed to your users when they login to your app via OAuth
    • The Homepage and Authorization callback must be valid URLs
    • The callback url is the url that will be used in step 2 of the Web Application Flow
  3. Click Create App
  4. You now have credentials that can be used in an OAuth application
    • The Client Secret is sensitive information that you should protect accordingly. If you need to, we provide an easy way to reset your client secret

Protecting the client secret

  • Do not store the client secret in a public git repo
  • Do not ship the client secret in code that will be delivered to your users' devices

Usage with mobile apps, Chrome extensions, and other client-side code

You cannot ship your client secret to users. For example, do not use the auth code exchange inside a mobile app.

You must have a hosted backend performing the auth code exchange and delivering the access token to the user's device. If you can't host a web service, please ask users to create a Personal Access Token instead.


Web Application Flow

  1. Users are redirected to GitKraken to authorize access to the OAuth application
  2. Users are redirected back to the OAuth application
  3. The OAuth app can access our API with the user's access token

Request a user's GitKraken identity

GET https://app.gitkraken.com/oauth/authorize

Query Parameters

Name Type Description
response_type string Required. A string whose value must be code.
client_id string Required. The Client ID you received from GitKraken when you created your OAuth App
scope string Required. Space delimited list of scopes.
state string A random string to prevent cross-site request forgery attacks.

Users are redirected back to your site by GitKraken

When the user authorizes your application, GitKraken redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step. If you pass a state and it doesn't match at this step, you should abort the process. Exchange this code for an access token.

POST https://api.gitkraken.com/oauth/access_token

Post Body

Name Type Description
grant_type string Required. A string whose value must be authorization_code.
client_id string Required. The Client ID you received from GitKraken for your OAuth App
client_secret string Required. The Client Secret you received from GitKraken when creating your OAuth App.
code string Required. The code you received as a response to step 1

Response

The access token you receive in response will be in a JSON document. This token can be used to make API calls on the user's behalf.

{
  "access_token": "60497d42f112db0e6d59e4754fg7c15d139aa36f",
  "token_type": "Bearer"
}

Revoke All User Tokens

By revoking all user tokens, all users will need to re-authorize with your application in order to continue using it.


Reset Client Secret

By resetting your client secret, the old secret will no longer work and you will need to update your application to use the new client secret. Use this option in the case that your client secret becomes compromised.