OAuth2 Integrations
Configure OAuth2 authentication for integrations.
Configuration
json
{
"credentials": {
"salesforce": {
"oauth2": {
"clientId": "{{env.SF_CLIENT_ID}}",
"clientSecret": "{{env.SF_CLIENT_SECRET}}",
"accessToken": "{{env.SF_ACCESS_TOKEN}}",
"refreshToken": "{{env.SF_REFRESH_TOKEN}}",
"tokenUrl": "https://login.salesforce.com/services/oauth2/token"
}
}
}
}OAuth2 Fields
| Field | Required | Description |
|---|---|---|
clientId | Yes | OAuth2 client ID |
clientSecret | Yes | OAuth2 client secret |
accessToken | Yes | Current access token |
refreshToken | Yes | Refresh token |
tokenUrl | Yes | Token refresh endpoint |
scope | No | OAuth2 scopes |
Automatic Token Refresh
Backflow automatically refreshes tokens when:
- Access token expires
- API returns 401
Refreshed tokens are stored and reused.
Per-Integration OAuth
Each integration can have its own OAuth2 config:
json
{
"credentials": {
"hubspot": {
"oauth2": {
"clientId": "{{env.HUBSPOT_CLIENT_ID}}",
"clientSecret": "{{env.HUBSPOT_CLIENT_SECRET}}",
"accessToken": "{{env.HUBSPOT_ACCESS_TOKEN}}",
"refreshToken": "{{env.HUBSPOT_REFRESH_TOKEN}}",
"tokenUrl": "https://api.hubapi.com/oauth/v1/token"
}
},
"google": {
"oauth2": {
"clientId": "{{env.GOOGLE_CLIENT_ID}}",
"clientSecret": "{{env.GOOGLE_CLIENT_SECRET}}",
"accessToken": "{{env.GOOGLE_ACCESS_TOKEN}}",
"refreshToken": "{{env.GOOGLE_REFRESH_TOKEN}}",
"tokenUrl": "https://oauth2.googleapis.com/token"
}
}
}
}Custom Integration with OAuth2
json
{
"customIntegrations": [{
"name": "salesforce",
"baseUrl": "https://your-instance.salesforce.com",
"auth": {
"type": "oauth2",
"oauth2": {
"clientId": "{{env.SF_CLIENT_ID}}",
"clientSecret": "{{env.SF_CLIENT_SECRET}}",
"accessToken": "{{env.SF_ACCESS_TOKEN}}",
"refreshToken": "{{env.SF_REFRESH_TOKEN}}",
"tokenUrl": "https://login.salesforce.com/services/oauth2/token"
}
},
"actions": {
"getAccount": {
"method": "GET",
"path": "/services/data/v58.0/sobjects/Account/{{params.id}}"
}
}
}]
}Obtaining Tokens
Initial Setup
- Create OAuth2 app in provider's console
- Configure redirect URI
- Complete authorization flow
- Store tokens in environment
Example: Salesforce
bash
# 1. Get authorization code
# User visits: https://login.salesforce.com/services/oauth2/authorize?
# client_id=YOUR_CLIENT_ID&
# redirect_uri=YOUR_REDIRECT_URI&
# response_type=code
# 2. Exchange code for tokens
curl -X POST https://login.salesforce.com/services/oauth2/token \
-d "grant_type=authorization_code" \
-d "code=AUTH_CODE" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "redirect_uri=YOUR_REDIRECT_URI"Common OAuth2 Token URLs
| Provider | Token URL |
|---|---|
| Salesforce | https://login.salesforce.com/services/oauth2/token |
| HubSpot | https://api.hubapi.com/oauth/v1/token |
https://oauth2.googleapis.com/token | |
| Microsoft | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token |
| Shopify | https://{shop}.myshopify.com/admin/oauth/access_token |
Tenant-Specific OAuth
For multi-tenant, store OAuth tokens per tenant:
json
{
"credentials": {
"salesforce": {
"oauth2": {
"clientId": "{{env.SF_CLIENT_ID}}",
"clientSecret": "{{env.SF_CLIENT_SECRET}}",
"accessToken": "{{secret.SF_ACCESS_TOKEN}}",
"refreshToken": "{{secret.SF_REFRESH_TOKEN}}",
"tokenUrl": "https://login.salesforce.com/services/oauth2/token"
}
}
}
}{{secret.*}} references tenant-specific secrets.