search
LicenseGitHub

OAuth & SSO

This guide explains how to integrate your application with AutoGPT Platform using OAuth 2.0. OAuth can be used for API access, Single Sign-On (SSO), or both.

For general API information and endpoint documentation, see the API Guide and the Swagger documentationarrow-up-right.

hashtag
Overview

AutoGPT Platform's OAuth implementation supports multiple use cases:

hashtag
OAuth for API Access

Use OAuth when your application needs to call AutoGPT APIs on behalf of users. This is the most common use case for third-party integrations.

When to use:

  • Your app needs to run agents, access the store, or manage integrations for users

  • You want user-specific permissions rather than a single API key

  • Users should be able to revoke access to your app

hashtag
SSO: "Sign in with AutoGPT"

Use SSO when you want users to sign in to your app through their AutoGPT account. Request the IDENTITY scope to get user information.

When to use:

  • You want to use AutoGPT as an identity provider

  • Users already have AutoGPT accounts and you want seamless login

  • You need to identify users without managing passwords

Note: SSO and API access can be combined. Request IDENTITY along with other scopes to both authenticate users and access APIs on their behalf.

hashtag
Integration Setup Wizard

A separate flow that guides users through connecting third-party services (GitHub, Google, etc.) to their AutoGPT account. See Integration Setup Wizard below.

hashtag
Prerequisites

Before integrating, you need an OAuth application registered with AutoGPT Platform. Contact the platform administrator to obtain:

  • Client ID - Public identifier for your application

  • Client Secret - Secret key for authenticating your application (keep this secure!)

  • Registered Redirect URIs - URLs where users will be redirected after authorization

hashtag
OAuth Flow

The OAuth flow is technically the same whether you're using it for API access, SSO, or both. The main difference is which scopes you request.

hashtag
Step 1: Redirect User to Authorization

Redirect the user to the AutoGPT authorization page with the required parameters:

hashtag
Parameters

Parameter
Required
Description

client_id

Yes

Your OAuth application's client ID

redirect_uri

Yes

URL to redirect after authorization (must match registered URI)

scope

Yes

Space-separated list of permissions (see Available Scopes)

state

Yes

Random string to prevent CSRF attacks (store and verify on callback)

code_challenge

Yes

PKCE code challenge (see PKCE)

code_challenge_method

Yes

Must be S256

response_type

Yes

Must be code

hashtag
Step 2: Handle the Callback

After the user approves (or denies) access, they'll be redirected to your redirect_uri:

Success:

Error:

Always verify the state parameter matches what you sent in Step 1.

hashtag
Step 3: Exchange Code for Tokens

Exchange the authorization code for access and refresh tokens:

Response:

hashtag
Step 4: Use the Access Token

Include the access token in API requests:

For SSO: If you requested the IDENTITY scope, fetch user info to identify the user:

Response:

See the Swagger documentationarrow-up-right for all available endpoints.

hashtag
Step 5: Refresh Tokens

Access tokens expire after 1 hour. Use the refresh token to get new tokens:

Response:

hashtag
Integration Setup Wizard

The Integration Setup Wizard guides users through connecting third-party services (like GitHub, Google, etc.) to their AutoGPT account. This is useful when your application needs users to have specific integrations configured.

hashtag
Redirect to the Wizard

hashtag
Parameters

Parameter
Required
Description

client_id

Yes

Your OAuth application's client ID

providers

Yes

Base64-encoded JSON array of provider configurations

redirect_uri

Yes

URL to redirect after setup completes

state

Yes

Random string to prevent CSRF attacks

hashtag
Provider Configuration

The providers parameter is a Base64-encoded JSON array:

hashtag
Handle the Callback

After setup completes:

Success:

Failure/Cancelled:

hashtag
Provider Scopes Reference

When using the Integration Setup Wizard, you need to specify which scopes to request from each provider. Here are common providers and their scopes:

hashtag
GitHub

Documentation: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

Scope
Description

repo

Full control of private repositories

read:user

Read user profile data

user:email

Access user email addresses

gist

Create and manage gists

workflow

Update GitHub Actions workflows

Example:

hashtag
Google

Documentation: https://developers.google.com/identity/protocols/oauth2/scopes

Scope
Description

email

View email address (default)

profile

View basic profile info (default)

openid

OpenID Connect (default)

https://www.googleapis.com/auth/calendar

Google Calendar access

https://www.googleapis.com/auth/drive

Google Drive access

https://www.googleapis.com/auth/gmail.readonly

Read Gmail messages

Example:

hashtag
Notion

Documentation: https://developers.notion.com/reference/capabilities

Notion uses a single OAuth scope that grants access based on pages the user selects during authorization.

hashtag
Linear

Documentation: https://developers.linear.app/docs/oauth/authentication

Scope
Description

read

Read access to Linear data

write

Write access to Linear data

issues:create

Create issues

hashtag
PKCE Implementation

PKCE (Proof Key for Code Exchange) is required for all authorization requests. Here's how to implement it:

hashtag
JavaScript Example

hashtag
Python Example

hashtag
Token Management

hashtag
Token Lifetimes

Token Type
Lifetime

Access Token

1 hour

Refresh Token

30 days

Authorization Code

10 minutes

hashtag
Token Introspection

Check if a token is valid:

Response:

hashtag
Token Revocation

Revoke a token when the user logs out:

hashtag
Security Best Practices

  1. Store client secrets securely - Never expose them in client-side code or version control

  2. Always use PKCE - Required for all authorization requests

  3. Validate state parameters - Prevents CSRF attacks

  4. Use HTTPS - All production redirect URIs must use HTTPS

  5. Request minimal scopes - Only request the permissions your app needs

  6. Handle token expiration - Implement automatic token refresh

  7. Revoke tokens on logout - Clean up when users disconnect your app

hashtag
Error Handling

hashtag
Common OAuth Errors

Error
Description
Solution

invalid_client

Client ID not found or inactive

Verify client ID is correct

invalid_redirect_uri

Redirect URI not registered

Register URI with platform admin

invalid_scope

Requested scope not allowed

Check allowed scopes for your app

invalid_grant

Code expired or already used

Authorization codes are single-use

access_denied

User denied authorization

Handle gracefully in your UI

hashtag
HTTP Status Codes

Code
Meaning

200

Success

400

Bad request (invalid parameters)

401

Unauthorized (invalid/expired token)

403

Forbidden (insufficient scope)

404

Resource not found

hashtag
Support

For issues or questions about OAuth integration:

PreviousAPI Introduction

Last updated

Was this helpful?