Auth
OAuth Integration

OAuth Integration

ShellApps ID acts as an OAuth 2.0 provider, allowing third-party applications to authenticate users via ShellApps ID.

OAuth 2.0 Authorization Code Flow

┌──────────┐     1. Redirect      ┌─────────────────┐
│ Your App │ ──────────────────── │ auth.shellapps.com │
│          │                      │   /oauth/authorize  │
│          │     2. User logs in  │                     │
│          │                      │                     │
│          │     3. Redirect back │                     │
│          │ ◄─────────────────── │  ?code=abc123       │
│          │                      └─────────────────────┘
│          │     4. Exchange code
│          │ ──────────────────── POST /oauth/token
│          │
│          │     5. Access token
│          │ ◄─────────────────── { access_token, ... }
└──────────┘

Step 1: Redirect to Authorize

https://auth.shellapps.com/oauth/authorize?
  client_id=your_client_id&
  redirect_uri=https://your-app.com/callback&
  response_type=code&
  scope=profile+groups&
  state=random_csrf_token

Step 2: Exchange Code for Token

const response = await fetch('https://auth.shellapps.com/api/v1/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: 'abc123',
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    redirect_uri: 'https://your-app.com/callback',
  }),
});
 
const { access_token, refresh_token, expires_in, scope } = await response.json();

Step 3: Use the Token

const user = await fetch('https://auth.shellapps.com/api/v1/auth/session', {
  headers: { Authorization: `Bearer ${access_token}` },
}).then(r => r.json());

Scopes

ScopeAccess
profileRead user's active profile (name, avatar)
profile.writeUpdate profile information
groupsRead group memberships
groups.writeManage group memberships
emailRead user's email address

Registering Your App

Register your OAuth application at auth.shellapps.com/developer:

  1. Provide your app name and redirect URIs
  2. Receive a client_id and client_secret
  3. Configure allowed scopes

Token Refresh

OAuth tokens follow the same refresh flow as regular sessions:

const response = await fetch('https://auth.shellapps.com/api/v1/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'refresh_token',
    refresh_token: 'rt_...',
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
  }),
});

Related

Groups & PermissionsOverview
© 2026 Shell Technology. All rights reserved.