# OAuth 2.0

Use OAuth 2.0 when the external provider requires delegated, token-based authorization with grant-specific configuration.

Nected supports:

* Client Credentials
* Password Grant
* Authorization Code

### When to use OAuth 2.0

* Provider requires OAuth endpoints (`Authorization URL` / `Token URL`)
* You need scoped access and token lifecycle management
* You need secure third-party integration without sharing raw user passwords (except Password Grant scenarios)

![OAuth setup flow in Nected Authorization](https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FhpUHfdnaWbyanaNlcwn7%2FOAuth.gif?alt=media)

### Shared OAuth fields in Nected

Depending on grant type, you will configure:

* **Grant Type**
* **Authorization URL** (Authorization Code only)
* **Token URL**
* **Client ID**
* **Client Secret**
* **Header Prefix** (optional, usually `Bearer`)
* **Audience** (optional)
* **Scope** (optional)
* **Username/Password** (Password Grant only)

### Grant type: Client Credentials

Use for server-to-server integration where your app accesses its own resources.

![Client Credentials grant fields](https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FegumJKwWaftb8IgMoLAv%2Fclient_cred.png?alt=media)

#### Client Credentials: Required fields

* Token URL
* Client ID
* Client Secret
* Optional: Header Prefix, Audience, Scope

#### Client Credentials: Setup steps

1. Create auth from either location:
   * **Path A**: **Security > Authorization** -> **+ New Authentication** -> **OAuth 2.0**.
   * **Path B**: **REST API connector configuration sidebar** -> Authentication dropdown -> **Create Authentication** -> **OAuth 2.0**.
2. Select **Client Credentials** as grant type.
3. Fill required fields.
4. Save configuration and attach/select it in the integration step.
5. Test token fetch + API call.

### Grant type: Password Grant

Use only when provider requires resource-owner username/password flow and trust boundary allows it.

![Password grant fields](https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FduyDPHkWNm2jKdpJCbqQ%2Fpassword.png?alt=media)

#### Password Grant: Required fields

* Token URL
* Client ID
* Client Secret
* Username
* Password
* Optional: Header Prefix, Audience, Scope

#### Password Grant: Setup steps

1. Create/select **OAuth 2.0** authentication from Security Authorization or directly from the REST API connector sidebar.
2. Select **Password Grant** in OAuth configuration.
3. Enter token endpoint + client credentials + user credentials.
4. Save and attach/select it in the integration.
5. Test authenticated API call.

### Grant type: Authorization Code

Use for user-consent-based integrations and higher security requirements.

![Authorization Code grant fields](https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2FbrVIjO5pHs806z5jYFIy%2Fauth_code.png?alt=media)

#### Authorization Code: Required fields

* Authorization URL
* Token URL
* Client ID
* Client Secret
* Optional: Header Prefix, Audience, Scope

#### Authorization Code: Setup steps

1. Create/select **OAuth 2.0** authentication from Security Authorization or directly from the REST API connector sidebar.
2. Select **Authorization Code** grant in OAuth configuration.
3. Enter provider authorization + token URLs.
4. Add client credentials.
5. Ensure redirect URI is configured at provider side (for example `https://app.nected.ai/oauth/redirect` when applicable).
6. Save configuration.
7. Complete authorization flow and verify token exchange.

### How to validate OAuth setup

1. Trigger a call to the protected endpoint from integration.
2. Verify token is generated/used successfully.
3. Confirm response status and payload from provider.
4. Re-test after token expiry window to confirm refresh/re-fetch behavior.

![OAuth authorization and validation walkthrough](https://4290782554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLg716fCfV8IUwXQygkTG%2Fuploads%2F46NcvpvWtgvtbKmzQC6S%2Fezgif.com%20video%20to%20gif%20converted.gif?alt=media)

### Security considerations

* Prefer **Authorization Code** or **Client Credentials** over Password Grant when possible.
* Keep client secrets in secure secret stores only.
* Restrict scopes to minimum required access.
* Ensure all OAuth endpoints are HTTPS.
* Keep redirect URIs exact and trusted.

### Common errors and fixes

* **Invalid client**: check Client ID/Client Secret.
* **Invalid redirect\_uri**: ensure exact URI match in provider config.
* **invalid\_scope**: requested scope not allowed by provider.
* **Token fetch fails**: verify token URL, grant type, and required grant fields.
* **401 after setup**: token may be expired or API requires different audience/scope.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nected.ai/nected-docs/security/external-api-authentication/oauth-2.0.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.