Register an OAuth application
Before users can sign in to your application, an org admin must register the application with ION. Run this mutation to register it:| URI type | Purpose |
|---|---|
callback | Where ION redirects users with the authorization code after they sign in |
origin | Browser origins allowed to make authenticated requests |
logout | Where ION redirects users after sign-out |
redirect_uri mismatches.
Run the authorization code flow
Follow the standard OAuth 2.0 authorization code flow:- Redirect the user to the ION authorization endpoint. Include
client_id,redirect_uri,response_type=code,scope, andstate. - The user authenticates with their ION credentials or SSO.
- ION redirects to your
redirect_uriwith an authorizationcodeand thestateyou sent. - Exchange the code at the token endpoint for an
access_token, and optionally arefresh_token. - Use the access token on subsequent API calls.
Handle token expiration and refresh
Access tokens have a short lifetime, typically one hour. Two patterns handle expiration:- Short-lived integrations. Let the token expire. Re-run the auth flow the next time the user opens the app.
- Long-lived integrations. Request the
offline_accessscope at authorization. Then exchange refresh tokens for new access tokens transparently.
Scopes
Scopes constrain what an OAuth-issued token can do. Standard scopes include the following:| Scope | Allows |
|---|---|
openid | Receive an ID token alongside the access token |
profile | Read the user’s profile |
email | Read the user’s email |
offline_access | Receive a refresh token |