Skip to main content

Overview

Groniz supports OAuth2 Authorization Code flow, allowing you to build third-party applications that act on behalf of Groniz users. Instead of asking users for their API key, your app redirects them to Groniz where they approve access, and you receive a token to make API calls on their behalf.
OAuth tokens work with all the same Public API endpoints as API keys. The only difference is how the token is obtained.

How It Works

Implementation

1

Register Your OAuth App

Go to Settings > Developers > Apps in your Groniz dashboard and create an OAuth application.You will need to provide:
  • App Name - displayed to users on the consent screen
  • Description (optional) - explains what your app does
  • Profile Picture (optional) - shown on the consent screen
  • Redirect URL - where Groniz sends users after they approve/deny access
After creating the app, you will receive:
  • Client ID - a public identifier for your app (starts with pca_)
  • Client Secret - a secret key for token exchange (starts with pcs_)
The client secret is only shown once on creation. Copy it immediately and store it securely. If you lose it, you can rotate it from the settings page.
2

Redirect Users to Authorize

When a user wants to connect their Groniz account to your app, redirect them to:
ParameterRequiredDescription
client_idYesYour app’s Client ID
response_typeYesMust be code
stateNoA random string to prevent CSRF attacks. Recommended.
Example:
The user will see a consent screen showing your app’s name, description, and the permissions being requested. They can choose to Authorize or Deny.
3

Handle the Callback

After the user makes a decision, Groniz redirects them to your Redirect URL with query parameters.If approved:
ParameterDescription
codeAuthorization code to exchange for a token (expires in 10 minutes)
stateThe same state value you sent in the previous step
If denied:
Always verify that the state parameter matches what you originally sent to prevent CSRF attacks.
4

Exchange Code for Token

Make a server-side POST request to exchange the authorization code for an access token:
ParameterRequiredDescription
grant_typeYesMust be authorization_code
codeYesThe authorization code from the previous step
client_idYesYour app’s Client ID
client_secretYesYour app’s Client Secret
Response:
FieldDescription
idThe organization ID associated with the authorized user
cusThe Stripe customer ID for the organization (useful for billing integrations)
access_tokenThe token to use for subsequent API calls
token_typeAlways bearer
The authorization code expires after 10 minutes and can only be used once. If it expires, the user must go through the authorization flow again.
5

Make API Calls

Use the access token in the Authorization header, just like you would with an API key:
The token works with all Public API endpoints:
OAuth tokens do not expire. Users can revoke access at any time from Settings > Approved Apps in their Groniz dashboard.

Managing Your App

Rotate Client Secret

If your client secret is compromised, go to Settings > Developers > Apps and click Rotate Secret. This invalidates the old secret immediately — any token exchange requests using the old secret will fail.
Rotating the secret does not invalidate existing access tokens. Only new token exchange requests require the new secret.

Delete Your App

Deleting your OAuth app will:
  • Revoke all access tokens issued to users
  • Remove the app from all users’ Approved Apps list
  • This action cannot be undone

Full Example (Node.js)


Error Reference

ErrorWhenDescription
invalid_clientToken exchangeClient ID or Client Secret is wrong
invalid_grantToken exchangeCode is invalid, expired, or already used
unsupported_grant_typeToken exchangegrant_type is not authorization_code
access_deniedCallbackUser denied the authorization request