Home Concepts OAuth

OAuth

OAuth (short for Open Authorization) is a secure way for apps like Flowgear to access your data in another service - without needing your username or password.

Instead of entering your login details directly in Flowgear, you log in to the service itself and give Flowgear permission to access only what it needs.

This process is widely used by many services (like Google, Microsoft, Dropbox, and others), but the setup steps can vary slightly from one service to another.

The sections below explain the key terms and values you might come across when connecting an OAuth-based service.

Client ID

The Client ID is a unique identifier that tells the service which app is requesting access. It's provided when you register the app with the service (or when following their OAuth setup process).

In Flowgear, you'll usually enter the Client ID when setting up a connection to a service that uses OAuth.

This value is safe to share in most cases, and it's often visible in URLs or request details - but it still shouldn't be posted publicly without reason.

Client Secret

The Client Secret is like a password for your app or integration. It works together with the Client ID to prove that the request is coming from an authorized source.

Most services will show the Client Secret only once when you create it. After that, it will often be hidden or partially masked.

Make sure to copy and store it somewhere safe - such as a secure password manager - because you may not be able to view it again.

Never share your Client Secret or include it in emails or chat messages. If someone else gets access to it, they could impersonate your app.

Scope

Scope defines what parts of your account the connected app (in this case, Flowgear) is allowed to access - such as reading emails, managing calendar events, or viewing files.

In most cases, Flowgear will automatically request the correct scopes needed for the integration.

However, some services may require you to manually enter or review the scopes during setup. This usually happens if:

  • The service offers a wide range of permissions and asks you to select the ones you need
  • The integration requires access to specific features that aren't included by default

If any manual input is required, Flowgear will let you know exactly what to enter.

Tip: Scopes are usually short phrases like read:files or calendar.readwrite. The service may show a permissions screen so you can review and approve what's being requested.

Access Token

The Access Token is what Flowgear uses behind the scenes to access the service on your behalf - for example, to read data or perform actions.

Access Tokens are created during the OAuth process after you've approved the connection.

They are usually short-lived (often expiring after an hour or two) to help keep your account secure. Once expired, Flowgear may need to request a new one using a Refresh Token.

You don't need to manage the Access Token directly - Flowgear handles this for you.

Refresh Token

The Refresh Token allows Flowgear to request a new Access Token when the current one expires - without asking you to log in again.

Refresh Tokens usually last much longer than Access Tokens (sometimes days, weeks, or even indefinitely, depending on the service).

Not all services provide a Refresh Token. If one isn't available, Flowgear may prompt you to log in again periodically.

Just like the Access Token, you don't need to manage this token yourself - Flowgear handles it automatically.

Redirect URI

The Redirect URI is the web address where the service sends you back after you've logged in and approved access.

When you connect an app like Flowgear, the service will ask where it should send you once you've finished the login and permission steps.

Flowgear uses specific Redirect URIs to securely complete this process. These addresses are:

  • https://app.flowgear.net/r/auth
  • https://appnew.flowgear.net/r/auth
  • https://appnext.flowgear.net/r/auth

The Redirect URI must exactly match one of these addresses to keep your connection safe.

Flowgear will never request you to log in without redirecting you to one of these approved addresses.

Why is the Redirect URI important?

It ensures that after you log in, you are sent back to the correct place - in this case, Flowgear - and nowhere else. This helps protect your information by preventing attackers from intercepting the login process.

Grant Types

Grant Types describe how Flowgear gets permission to access your data from the service.

There are a few common types:

Authorization Code

This is the most common method. You'll be redirected to the service's login page, where you enter your credentials and approve what Flowgear can access. After that, Flowgear receives a special code to get access.

Client Credentials

With this method, Flowgear uses the Client ID and Client Secret directly to get access - without needing you to log in or approve anything each time.

This is usually used for connections that don't involve a specific user, but rather the app itself.

Refresh Token / Offline Access

Access Tokens are short-lived for security reasons. The Refresh Token lets Flowgear get a new Access Token automatically when the old one expires, so you don't have to log in again.

If a Refresh Token isn't available, you may need to log in more often or use the Client Credentials method.