# OAuth

OAuth is an authorization standard widely used among bigger companies like Google, Apple, and Facebook. OAuth offers a higher level of security than tokens because the OAuth tokens are automatically refreshed, and you can limited with a scope.

> Dixa supports **Authorization Code Flow** and **Client Credentials Flow** as OAuth strategies. The third party service determines the choice.


## Prerequisite

* The connecting API must support OAuth 2
* You need to be a workspace admin in Dixa to create a custom card


## Setting up the application

* Because of the secure nature of an OAuth application, it's necessary to configure both sides of the transaction. The third party is the application, and Dixa is the user.
* The Dixa backend handles the grant and can be ignored when configuring OAuth in Dixa.
* Part of the Dixa OAuth feature is to refresh tokens automatically.


### Application with code flow

You will need to obtain the following at the third party for an authorization code flow:

* client ID
* client secret
* Scope
* Authorization Endpoint
* Token Endpoint


Applications will ask for a redirect URL, which is always the same for Dixa custom cards. Insert the following into the third-party setup:


```
https://partner-integrations.dixa.io/auth/provider/callback
```

A scope can limit access to areas of an API. If you take Google as an example, a scope for their calendar will look like this:

`https://www.googleapis.com/auth/calendar.readonly`

And with Hubspot, a scope for OAuth and CRM objects looks like this:

`oauth crm.objects.contacts.read`

The third-party typically generates the client ID and secret, which are unique in syntax and length.

#### Set up Dixa

In Dixa, we must match the scope, client ID, and secret from the third party.

![](/assets/oauth.afecc10cfeb004bdbc4a17bd810ee36075cc07798001358374f3b84f77d83e8e.fcd6b147.png)

The third party defines the authorization and token endpoints and can usually be found in the documentation or when configuring the token/app.

After you have populated the necessary fields, you save the information by clicking **Save configuration** and then proceed by selecting **Authorize**. A pop-up will open asking you to sign in (if you're not already signed in with the third party). You must click on both the **Save configuration** and **Authorize** buttons.

### Application with credential flow

Because of the secure nature of an OAuth application, it's necessary to configure both sides of the transaction. The third party is the application, and Dixa is the user.

You will need to obtain the following at the third party for a credential code flow:

* client ID
* client secret
* Authorization Endpoint
* Token Endpoint
* Scope
* Audience


Applications will ask for a redirect URL, which is always the same for Dixa custom cards. Insert the following into the third-party setup:


```
https://partner-integrations.dixa.io/auth/provider/callback
```

A scope can limit access to areas of an API. If you take Google as an example, a scope for their calendar will look like this:

`https://www.googleapis.com/auth/calendar.readonly`

And with Hubspot, a scope for OAuth and CRM objects looks like this:

`oauth crm.objects.contacts.read`

The third-party typically generates the client ID and secret, which are unique in syntax and length.

The audience should be referencing Dixa.

### Set up Dixa

In Dixa, we must match the scope, client ID, and secret from the third party.
![](/assets/oauth2.2f861a74c88dda5270c37419526f3adc7a35e16d03ac03641e734ef3e37d70c6.fcd6b147.png)

The third party defines the **Authorization Endpoint** and **Token Endpoint**. Both can usually be found in their documentation.

**Scope** and **Audience** are optional for an OAuth flow but can be required from a third party. [Auth0](https://community.auth0.com/t/what-is-the-audience/71414), [Ory](https://www.ory.sh/docs/hydra/guides/audiences), and [MojoAuth](https://mojoauth.com/glossary/jwt-audience/) have great reads on their implementation of the audience, which can be used to get a better understanding.

After you have populated the necessary fields, you save the information by clicking **Save configuration** and then proceed by selecting **Authorize**. A pop-up will open asking you to sign in (if you're not already signed in with the third party). You must click on both the **Save configuration** and **Authorize** buttons.