Authenticate third-party integrations requiring customer consent
client_secret
secure and never expose it in client-side code.
Store it securely on your backend server and only use it there to exchange
authorization codes and refresh tokens for access tokens.Get your credentials
client_id
and client_secret
. You’ll also need to configure your authorized redirect URIs.Redirect to authorization
code_challenge
: A code challenge derived from your code verifiercode_challenge_method
: Either “S256” (recommended) or “plain”Handle the callback
redirect_uri
with an authorization code:Exchange for tokens
code_verifier
in the token request. The code verifier must:Make authenticated requests
Refresh expired tokens
code_challenge_method="S256"
(recommended):
code_challenge_method="plain"
:
code_challenge
and code_challenge_method
to the authorization URL