Skip to main content

Authentication

Nudge uses OAuth 2.0. Connect once through Zapier or your integration, and you're all set. It's secure and simple.

OAuth 2.0 Authorization Flow

1. Authorization Request

Direct users to authorize your application:

GET /api/oauth/zapier/authorize

Query Parameters:

  • client_id (required): Your OAuth client ID
  • redirect_uri (required): Your registered redirect URI
  • response_type (required): Must be code
  • state (recommended): Random string to prevent CSRF attacks
  • scope (optional): Space-separated list of scopes (default: read write)
  • code_challenge (optional): PKCE code challenge for enhanced security
  • code_challenge_method (optional): PKCE method (S256)

Example:

https://app.justanudge.co/api/oauth/zapier/authorize?client_id=your_client_id&redirect_uri=https://zapier.com/callback&response_type=code&state=abc123&scope=read%20write

2. Token Exchange

Exchange the authorization code for access tokens:

POST /api/oauth/zapier/token

Headers:

Content-Type: application/x-www-form-urlencoded

Body Parameters:

  • grant_type (required): Either authorization_code or refresh_token
  • client_id (required): Your OAuth client ID
  • client_secret (required): Your OAuth client secret

For authorization code grant:

  • code (required): The authorization code received
  • redirect_uri (required): Same redirect URI used in authorization
  • code_verifier (optional): PKCE verifier if code challenge was used

For refresh token grant:

  • refresh_token (required): The refresh token

Response:

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "eyJ...",
  "scope": "read write"
}

3. Using Access Tokens

Include the access token in all API requests:

Authorization: Bearer your-access-token

4. Revoking Tokens

To revoke OAuth tokens, use the revoke endpoint:

POST /api/oauth/zapier/revoke

Security Considerations

  1. OAuth Tokens: Tokens expire after 1 hour; use refresh tokens to obtain new access tokens
  2. HTTPS: All API requests must be made over HTTPS
  3. Scopes: OAuth integrations can request specific scopes:
    • read: Read user and contact information
    • write: Create review requests and contacts
  4. Authorization: Each token is tied to a specific user and can only access that user's data

Rate Limits

  • OAuth Authentication: 5000 requests per hour per user

Rate limit information is included in response headers:

X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4999
X-RateLimit-Reset: 1704218400