Authentication

No authentication is used when accessing public APIs or endpoints that don't require user identification or authorization.

Use Cases:

• Public APIs with open access.

• Endpoints serving non-sensitive data.

Security Considerations:

• No security measures; anyone can access the resource.

• Not suitable for sensitive or user-specific data.

Connection V1 – Field Explanations

Purpose:
A Connection in viaSocket defines how your plugin securely links to an external service, so users can authorize access to their data.

1. Configure Your Fields

What it is:
This is where you define the input fields needed from the user to authenticate. For Basic Auth, these are usually:

• Username / API Key – the identifier for the user or app.

• Password / Secret Key – the credential paired with the username or key.

Extra Tips:

• Mark fields as required if they are mandatory for all requests.

• Provide clear labels and hints so users know exactly what to enter.

• Avoid field names like “Key” — be specific, e.g., “API Key” or “Account Username.”

2. Configure Test (Me) API

What it is:
A “test” or ME endpoint verifies that the credentials entered actually work.

• viaSocket calls this endpoint right after the user saves their credentials.

• If the call is successful, the connection is marked as valid.

Extra Tips:

• Choose an endpoint that returns basic account info (e.g., /me or /profile).

• Keep responses lightweight for faster verification.

• Provide meaningful error messages if the test fails.

3. Add Connection Label

What it is:
A dynamic label that helps users identify their saved connection.

• Example: John's Salesforce Account instead of a generic “Salesforce Connection.”

Extra Tips:

• Use placeholders to pull data from the test API response (e.g., user’s name or email).

• This helps when a user has multiple accounts with the same service.

4. Add URLs to Whitelist

What it is:
A list of domains or endpoints viaSocket is allowed to call for this connection.

• Acts as a security filter to prevent unauthorized calls to unknown URLs.

Extra Tips:

• Only include the base URLs your integration needs.

• Avoid wildcards (*) unless absolutely necessary.

• Helps prevent misuse if credentials are compromised.

5. Set Request Parameters

What it is:
Default or fixed parameters that should be included in every API request for this connection.

• Example: setting a version=2 parameter for an API that requires it.

Extra Tips:

• Use this for static values that don’t change per request.

• Avoid putting sensitive credentials here — those should be in “Configure Your Fields.

Basic Auth Demo

Click through a step-by-step, interactive demo walkthrough of Supademo, powered by Supademo.

https://app.supademo.com/embed/cm662h6yd06gvchn1i5lo91cf?embed_v=2

OAuth 2.0 – Implicit Grant Type

Purpose:
The Implicit Grant Type is designed mainly for browser-based or single-page apps (SPAs) where tokens are issued directly without a backend server exchanging an authorization code. It’s less secure because tokens are exposed in the URL and no refresh tokens are issued.

1. Configure Your Fields

Set any additional input fields needed for authentication.

• Typically, Implicit Flow doesn’t require extra fields because user login happens directly with the provider.

• Could include optional fields like region or API version if your integration requires them.

2. Copy Your OAuth Redirect URL

The callback URL where the external service will send the access token directly in the URL hash (#access_token=...).

• Must match the redirect URL registered in the provider’s developer portal.

• Tip: Since tokens appear in the browser, make sure the redirect URL is secure (HTTPS).

3. Enter Application Credentials

Add Client ID provided by the external service.

• Note: Most implicit flows don’t require a client secret because the secret can’t be securely stored in browser code.

• Tip: If the provider asks for a secret, you might be using the wrong flow — verify in their docs.

4. Configure Authorization Endpoint

The URL where the user is redirected to log in and approve permissions.

• Example: https://service.com/oauth/authorize

• Common parameters:

  • response_type=token (instead of code)

  • client_id

  • redirect_uri

  • scope

  • state

• Tip: Always use the state parameter to prevent CSRF attacks.

5. Configure Refresh Token API

Not applicable in most implicit flows.

• Implicit flow typically doesn’t provide refresh tokens.

• If you configure this, ensure the provider actually supports it for your chosen flow.

6. Configure Revoke Token API

Optional endpoint to invalidate tokens.

• Helps maintain security by letting users disconnect manually.

• Example: https://service.com/oauth/revoke.

7. Configure Test (Me) API

An endpoint to confirm the token works and retrieve basic account info.

• Example: /me or /profile.

• Useful for building the Connection Label automatically.

8. Add Connection Label

A friendly name for the user’s saved connection.

• Example: John’s GitHub.

• Often uses dynamic data from the Test API.

9. Add URLs to Whitelist

List the API hostnames or endpoints that viaSocket can call with this connection.

• Tip: Keep this minimal to reduce attack surface.

10. Add Unique Authentication Identifier

A unique value from the provider (like user_id or email) that identifies the authenticated account.

• Prevents duplicate connections for the same user.

11. Set Request Parameters

Default query or body parameters for all requests.

• Example: api_version=3.

• Avoid storing sensitive values here — tokens are automatically handled by viaSocket.

Extra Best Practices

• Security First: Since tokens are visible in browser URLs, always use HTTPS and consider clearing URLs after token retrieval.

• Short-Lived Tokens: Expect short token lifetimes — this flow is not designed for long-term sessions.

• Consider Alternatives: If possible, use the Authorization Code with PKCE flow for better security in SPAs.

Use Cases:

• Single-page applications (SPAs).

• Applications with limited backend capabilities.

Security Considerations:

• Access token is exposed in the URL fragment, making it susceptible to interception.

• Not recommended for applications handling sensitive data.

• Considered less secure, its use is being deprecated in favor of Authorization Code with PKCE.

OAuth 2.0 – Authorization Code Grant Type

Purpose:
This is the most secure OAuth flow for server-side applications. It ensures tokens and secrets are kept safe, avoids exposing sensitive data in browser URLs, and supports token refresh for long-term access.

1. Configure Your Fields

Define any extra fields you want to capture along with OAuth authentication.

• Example: API region, environment (sandbox vs production), or account type.

• Keep the number of fields low — OAuth already provides most identity information.

• Tip: If you need optional fields, mark them as not required to improve UX.

2. Copy Your OAuth Redirect URL

The redirect (callback) URL is where the external service sends the authorization code after the user approves access.

• This must exactly match what’s set in the provider’s developer portal — mismatches cause “redirect_uri_mismatch” errors.

• Tip: If your app has multiple environments (dev, staging, prod), register each redirect URL.

3. Enter Application Credentials

Add the Client ID and Client Secret provided by the external service.

• The Client ID is public — it identifies your app.

• The Client Secret is private — treat it like a password and never expose it in frontend code.

• Common pitfall: Mixing up credentials from different environments (e.g., staging vs production).

4. Configure Authorization Endpoint

This is the URL where users log in and consent to share data with your app.

• Example: https://service.com/oauth/authorize

• Usually includes query parameters like:

  • response_type=code

  • client_id

  • redirect_uri

  • scope (requested permissions)

  • state (optional anti-CSRF token)

• Tip: Always use the state parameter for security.

5. Configure Access Token API

The endpoint used to exchange the authorization code for an access token (and optionally a refresh token).

• Requires a secure POST request.

• Typical parameters: grant_type=authorization_code, code, redirect_uri, client_id, client_secret.

• Tip: Handle error responses like invalid_grant gracefully — they often indicate an expired or already used code.

6. Configure Refresh Token API

Allows the system to obtain a new access token without user involvement.

• Keeps the connection alive when tokens expire.

• Tip: Always check if the provider returns a refresh_token in the initial token exchange — not all do.

7. Configure Revoke Token API

Optional but recommended — lets users disconnect securely.

• Revoking tokens prevents further API access.

• Tip: Call this API both when a user manually disconnects and when credentials are invalid.

8. Configure Test (Me) API

A lightweight request to verify token validity.

• Example: /me or /user/profile.

• Helps detect expired or revoked tokens early.

• Tip: Choose an endpoint that’s quick and always available.

9. Add Connection Label

Gives users a friendly name for their saved connection.

• Example: Jane’s Google Drive.

• Tip: Dynamically build it from Test API data (like the user’s name or company).

10. Add URLs to Whitelist

Specifies which domains or endpoints are allowed.

• Protects against malicious or accidental calls to unauthorized destinations.

• Tip: Be strict — only whitelist the API host and necessary subdomains.

11. Add Unique Authentication Identifier

Ensures each connection is linked to a unique user/account in the external system.

• Prevents duplicate connections.

• Tip: Use a value from the Test API like account_id or email.

12. Set Request Parameters

Defines default query or body parameters that should be included in every API call.

• Useful for static requirements like api_version=2.

• Tip: Don’t store sensitive data here — tokens are handled by viaSocket.

Extra Best Practices

• Scope Minimization: Only request the permissions you truly need — this builds user trust.

• Token Security: Store tokens encrypted, never in browser storage.

• Error Transparency: If authorization fails, show the actual error message to help users fix it.

• State Validation: Always verify the state parameter on callback to prevent CSRF attacks.

Use Cases:

• Web applications with server-side components.

• Applications requiring long-lived access.

Security Considerations:

• The authorization code is short-lived and exchanged for a token.

• Client secrets are not exposed to the user.

• Recommended for most applications due to its security features.

OAuth 2.0 Demo

Click through a step-by-step, interactive demo walkthrough of Viasocket, powered by Supademo.

https://app.supademo.com/embed/cm669cr4r00ir1xdhpmrjim0l?embed_v=2

 OAuth 2.0 – Client Credentials Grant Type

Purpose:
This flow is for app-to-app communication with no user interaction. The application authenticates itself using its Client ID and Client Secret to get an access token. Common in backend integrations, automation scripts, and service accounts.

1. Configure Your Fields

In this step, you define the fields the user must fill in to set up the connection.

• Always include:

  • Client ID – The public identifier of your application from the provider’s developer portal.

  • Client Secret – The private key from the provider’s developer portal; must be kept secure.

• Optional: API environment (sandbox/production), API version, or custom configuration fields.

• Tip: Clearly label these fields so the user knows where to find them in the provider’s developer console.

2. Configure Access Token API

The endpoint where viaSocket sends the Client ID and Client Secret to obtain an access token.

• Example: https://service.com/oauth/token

• Typical parameters:

  • grant_type=client_credentials

  • client_id

  • client_secret

  • scope (if required)

• Tip: Use HTTPS to ensure credentials are secure in transit.

3. Configure Refresh Token API

Usually not required because Client Credentials flow can request a new token any time.

• Only configure if the provider explicitly supports refresh tokens in this flow.

4. Configure Revoke Token API

Optional endpoint to invalidate tokens.

• Example: https://service.com/oauth/revoke

• Recommended for security if users may disconnect integrations.

5. Configure Test (Me) API

An API call to confirm the token works.

• Often /status, /account, or /ping.

• This verifies the access token is valid and the app is authorized.

6. Add Connection Label

Give the saved connection a meaningful name.

• Example: ServiceX App Connection.

• Can include environment or version for clarity.

7. Add URLs to Whitelist

List only the allowed domains/endpoints for this connection.

• Reduces the risk of misuse if tokens are compromised.

8. Add Unique Authentication Identifier

A unique ID for the authenticated app/service.

• Could be the application ID, service account ID, or integration name.

9. Set Request Parameters

Default parameters for all API requests.

• Example: version=2.

• Do not put sensitive credentials here — those go in the authentication fields.

Extra Best Practices

• Keep Client Secret safe — never expose it in public repos or frontend code.

• Request only the minimum scopes needed.

• Automate token renewal before expiry if tokens are short-lived.

• Perfect for background jobs, system integrations, and scheduled automation.

If

OAuth 2.0 – Password Credentials Grant Type

Purpose:
Also known as the Resource Owner Password Credentials (ROPC) flow, this grant type allows exchanging a username and password directly for an access token.
It’s generally deprecated for modern apps because it bypasses the provider’s login UI and puts full responsibility for credential handling on your app.
Recommended only for legacy systems or trusted environments.

1. Configure Your Fields

This is where you define the credentials the user must enter.

• Always include:

  • Username – The account username or login email for the service.

  • Password – The account password; will be sent directly to the provider to exchange for a token.

• Optional: Additional fields like API environment (sandbox/production) or optional security tokens (e.g., OTP, tenant ID).

• Tip: Make it very clear to users that their credentials are stored securely and only sent to the provider’s authentication endpoint.

2. Configure Access Token API

The endpoint where viaSocket sends the username and password to get an access token.

• Example: https://service.com/oauth/token

• Typical parameters:

  • grant_type=password

  • username

  • password

  • client_id (sometimes required)

  • client_secret (sometimes required)

  • scope (if applicable)

• Tip: Always use HTTPS — never send passwords over plain HTTP.

3. Configure Refresh Token API

Allows obtaining a new access token without prompting the user for credentials again.

• Recommended if the provider issues refresh tokens for this flow.

• Not all services support refresh tokens in ROPC.

4. Configure Revoke Token API

Optional endpoint to invalidate tokens.

• Example: https://service.com/oauth/revoke

• Important for allowing users to disconnect and revoke access instantly.

5. Configure Test (Me) API

An endpoint to verify that the access token works.

• Example: /me, /account, or /user/profile.

• Useful for building the Connection Label and confirming authentication success.

6. Add Connection Label

A friendly name for the saved connection.

• Example: Jane’s CRM Account.

• Can be dynamically built using data from the Test API (like the user’s name or email).

7. Add URLs to Whitelist

Restrict calls to only the authorized API domains.

• Helps prevent token misuse.

• Only include what’s necessary for your integration.

8. Add Unique Authentication Identifier

A unique value from the authenticated account (e.g., user ID or email) to differentiate connections and prevent duplicates.

9. Set Request Parameters

Default parameters to include with every API request.

• Example: version=2.

• Avoid placing sensitive data here — credentials and tokens are handled securely by viaSocket.

Extra Best Practices

• Avoid in Public Apps: This flow requires full trust between your app and the user.

• Only for Legacy/Trusted Systems: Use OAuth Authorization Code flow for modern integrations.

• Credential Storage: Always encrypt stored passwords; never log them.

• MFA Considerations: If the account uses MFA, this flow may not work unless the provider supports passing OTP or other factors.

• Register your application with the OAuth 2.0 authorization server to obtain a client ID and client Secret.