OAuth2 authentication guide

Document information
  • Canonical URL: /docs/04_connecting-systems/10_oauth2-authentication
  • Version: 2026-05-08
  • Tags: integrations, reference, oauth2-authentication

This guide explains how OAuth2 authentication works in Tealfabric integrations and how to keep token-based access reliable in production. It covers flow selection, configuration basics, scope handling, token lifecycle, and common failure patterns.

OAuth2 authentication in Tealfabric links provider consent, scoped tokens, and secure connector execution in a managed lifecycle.

Choose the right OAuth2 flow

Most user-consent integrations use the authorization code flow, where users sign in at the provider and grant requested scopes. This is the preferred flow for Google, Microsoft, Slack, and other web-based providers because it keeps user authentication and consent explicit.

Client credentials flow is best for service-to-service integrations where no user sign-in is required. Resource owner password credentials can still appear in legacy systems, but it should be used only when provider support and your security policy allow it.

Configure OAuth2 integration parameters

Before authentication, confirm your connector has correct client_id, client_secret, redirect URI, and required scopes. Redirect URI mismatches and missing scopes are the two most common causes of failed OAuth setup, so validate them early.

After authentication, check token status and granted scopes in the integration UI. If required scopes are missing, update scope configuration and re-authorize so the provider can issue a token with the correct access level.

Validate OAuth2 usage in code

The examples below show the same authenticated API call pattern in TypeScript and JavaScript after OAuth2 tokens are available.

const baseUrl = "https://api.example.com/api/v1";
const tenantId = "<TENANT_ID>";
const apiKey = "<API_KEY>";

type ConnectionStatus = {
  authenticated: boolean;
  expires_at?: string;
  scopes?: string[];
};

async function getOauthStatus(integrationId: string): Promise<ConnectionStatus> {
  const response = await fetch(
    `${baseUrl}/oauth2/token-status?integration_id=${encodeURIComponent(integrationId)}`,
    {
      method: "GET",
      headers: {
        "X-API-Key": apiKey,
        "X-Tenant-ID": tenantId,
        "Content-Type": "application/json",
      },
    }
  );
  if (!response.ok) throw new Error(`Request failed: ${response.status}`);
  const payload = (await response.json()) as { data?: ConnectionStatus };
  if (!payload.data) throw new Error("Missing token status payload");
  return payload.data;
}

API check for token status

Use this request to quickly verify whether an integration is currently authenticated and which scopes were granted.

curl -X GET "https://api.example.com/api/v1/oauth2/token-status?integration_id=<ENTITY_ID>" \
  -H "X-API-Key: <API_KEY>" \
  -H "X-Tenant-ID: <TENANT_ID>" \
  -H "Content-Type: application/json"
{
  "success": true,
  "data": {
    "authenticated": true,
    "expires_at": "2026-05-10T08:15:00Z",
    "scopes": [
      "mail.read",
      "mail.send"
    ]
  }
}

Operate OAuth2 safely

Treat access and refresh tokens as secrets, request only minimum scopes, and remove access when an integration is no longer needed. If refresh fails repeatedly, re-authorize the integration and confirm provider-side app configuration has not changed.

For provider-specific setup, continue with Google Cloud integrations, Microsoft Azure cloud integrations, and Microsoft 365 services integrations.