Comment on page
OAuth
OAuth lets you create applications that can access Open Collective's API to read information and trigger changes on the platform.
- 1.Go to
https://opencollective.com/{account}/admin/for-developers(replace{account}by the slug of the account you want to use as the owner of the app) - 2.Click on
+ Create OAuth appand fill in the required information
- 3.On the success page, copy the client ID and secret for later use
The web application flow to authorize users for your app is:
- 1.Users are redirected to request their Open Collective identity
- 2.Users are redirected back to your site by Open Collective with special code shared in the URL
- 3.You exchange the received code for an OAuth token
Name | Type | Description |
|---|---|---|
client_id | string | |
response_type | string | Required. Only supported value for now is code |
redirect_uri | string | The URL in your application where users will be sent after authorization. If left out, Open Collective will redirect users to the callback URL configured in the OAuth Application settings. If provided, the redirect URL's host and port must exactly match the callback URL. |
scope | string | A comma-separated list of scopes. If not provided, scope defaults to an empty list. |
state | string | Use it to pass some state back to your application after redirecting and to protect against cross-site request forgery attacks (CSRF) by including an unguessable random string. See scopes below. |
After users accept your request, they're redirected back to your site with a temporary
code passed as an URL query parameter as well as the state you provided in the previous step. The temporary code will expire after 5 minutes. If the states don't match, then a third party created the request, and you should abort the process.Otherwise, you can exchange the
code you received as a parameter for an access token:Parameter | Type | Description |
|---|---|---|
grant_type | string | Required. The only supported value for now is authorization_code |
client_id | string | |
client_secret | string | |
code | string | |
redirect_uri | string | Required. The URL in your application where users are sent after authorization. |
If the request succeeds, you'll receive an HTTP 200 response code with a JSON payload like:
{
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
This
access_token is what you want to use to access the API.The access token allows you to make requests to the API on a behalf of a user on our public GraphQL API.
Authorization: Bearer {ACCESS_TOKEN}
GET https://opencollective.com/oauth/token
For example, in curl you can set the Authorization header like this:
curl 'https://opencollective.com/api/graphql/v2' \
-H 'authorization: Bearer {ACCESS_TOKEN}' \
-H 'content-type: application/json' \
-d '{"query": "{ me { id name email } }"}'
Scopes let you specify exactly what type of access you need. Scopes limit access for OAuth tokens. They do not grant any additional permission beyond that which the user already has.
When setting up an OAuth App on Open Collective, requested scopes are displayed to the user on the authorization form.
email: Access your email address.incognito: Access your incognito account.account: Manage your account, collectives and organizations.expenses: Create and manage expenses, payout methods.orders: Create and manage contributions, payment methods.transactions: Refund and reject recorded transactions.virtualCards: Create and manage virtual cards.updates: Create and manage updates.conversations: Create and manage conversations.webhooks: Create and manage webhookshost: Administrate fiscal hosts.
By default, OAuth apps are not allowed to use Two Factor Authentication (2FA) and thus cannot use protected queries and mutations (e.g.
payExpense, removeHost, ...etc.) for accounts with 2FA setup. If your app needs these permissions, reach out to us on Slack (in the #api channel) or contact support, and we'll enable it manually.Once allowed for 2FA, your app will show a special message for users connecting with 2FA to let them know that they're giving this special permission:
Connect OAuth app authorization screen
Authorized apps screen
To know whether the 2FA permission has been granted to your app, go to the application settings in your workspace and look for the warning at the top:
Last modified 25d ago