OAuth Apps
OAuth 2.0 is a standard that allows applications to access user data on their behalf. OAuth applications used in conjunction with our API and/or webhooks can be a powerful way to create amazing experiences with GitKraken Boards.
Creating a new OAuth App
To create an OAuth app, visit the OAuth Apps tab under your email on the account page.
- Click New OAuth App
- Enter in the information into the form
- App name can be anything but will be displayed to your users when they login to your app via OAuth
- The Homepage and Authorization callback must be valid URLs
- The callback url is the url that will be used in step 2 of the Web Application Flow
- Click Create App
- You now have credentials that can be used in an OAuth application
- The Client Secret is sensitive information that you should protect accordingly. If you need to, we provide an easy way to reset your client secret
Protecting the client secret
- Do not store the client secret in a public git repo
- Do not ship the client secret in code that will be delivered to your users' devices
Usage with mobile apps, Chrome extensions, and other client-side code
You cannot ship your client secret to users. For example, do not use the auth code exchange inside a mobile app.
You must have a hosted backend performing the auth code exchange and delivering the access token to the user's device. If you can't host a web service, please ask users to create a Personal Access Token instead.
Web Application Flow
- Users are redirected to GitKraken to authorize access to the OAuth application
- Users are redirected back to the OAuth application
- The OAuth app can access our API with the user's access token
Request a user's GitKraken identity
GET https://app.gitkraken.com/oauth/authorize
Query Parameters
| Name | Type | Description |
|---|---|---|
| response_type | string | Required. A string whose value must be code. |
| client_id | string | Required. The Client ID you received from GitKraken when you created your OAuth App |
| scope | string | Required. Space delimited list of scopes. |
| state | string | A random string to prevent cross-site request forgery attacks. |
Users are redirected back to your site by GitKraken
When the user authorizes your application, GitKraken redirects back to your site with a temporary code in a code parameter as well as the state you provided in the previous step. If you pass a state and it doesn't match at this step, you should abort the process. Exchange this code for an access token.
POST https://api.gitkraken.com/oauth/access_token
Post Body
| Name | Type | Description |
|---|---|---|
| grant_type | string | Required. A string whose value must be authorization_code. |
| client_id | string | Required. The Client ID you received from GitKraken for your OAuth App |
| client_secret | string | Required. The Client Secret you received from GitKraken when creating your OAuth App. |
| code | string | Required. The code you received as a response to step 1 |
Response
The access token you receive in response will be in a JSON document. This token can be used to make API calls on the user's behalf.
{
"access_token": "60497d42f112db0e6d59e4754fg7c15d139aa36f",
"token_type": "Bearer"
}
Revoke All User Tokens
By revoking all user tokens, all users will need to re-authorize with your application in order to continue using it.
Reset Client Secret
By resetting your client secret, the old secret will no longer work and you will need to update your application to use the new client secret. Use this option in the case that your client secret becomes compromised.
