Add authorization flows
Implement PKCE OAuth workflows in your Stripe app.
You can implement OAuth with your UI extension in the Dashboard to retrieve access tokens from an OAuth provider instead of building an OAuth backend. If the user gives your Stripe App access to an OAuth provider, they can interact with the services of the OAuth provider directly from your Stripe app in the Dashboard.

OAuth flow with a Stripe app
Before you begin
- Ensure that your OAuth provider supports the Proof Key for Code Exchange (PKCE) flow.
- If you haven’t already, create an app with your OAuth provider to connect and use with your Stripe App.
- Create a Stripe app and build a UI. The UI extension retrieves the access token from the OAuth provider with the PKCE flow.
End users click on an authorization link from your app to start the OAuth flow and give your app access to the service of the OAuth provider.
Create the test mode and live mode OAuth redirect URLs. This process also applies in a sandbox environment. The redirect URL is unique to your app and includes your app
id
in the path. For example, if theid
field in your app manifest is"id": "com.
:example. oauth-example" - The test mode URL is:
- The live mode URL is:
Register the test and live OAuth redirect URLs with your OAuth provider.
From your app’s UI extension, create a pathway that routes users from your Stripe app to authorize the OAuth provider by passing the following parameters in the OAuth redirect URLs:
Parameter Value response_
type This is always code
. The PKCE flow usescode
as the value to request an authorization code from the OAuth provider.client_
id The ID of your OAuth app assigned from your OAuth provider. redirect_
uri The Stripe app’s OAuth redirect URL. This is the URL the OAuth provider uses to redirect a user to your app. state
The state
return value from the createOAuthState function.code_
challenge The challenge
return value from the createOAuthState function.code_
challenge_ method This is always S256
.
You can use the following code example to route users from your Stripe App to authorize a third-party app using the OAuth redirect URLs and the Button UI component:
Your app can only make requests on behalf of the current user. After the user authorizes your app, the Dashboard passes their OAuth data to your app through the code
and verifier
values of the oauthContext
context prop.
Only valid authorization attempts allow your app to read the code
, verifier
, and if applicable, custom state
values. An authorization attempt is valid if the OAuth provider redirects to the redirect_
and includes the state
value in the matching query string parameter of the authorization link. The state
value must be identical to the state
value returned by createOAuthState
function (when you created the authorization link).
From your app’s UI extension, retrieve the access token from the OAuth provider with the following parameters:
Parameter | Value |
---|---|
code | The value of the oauthContext. React prop. |
grant_ | This is always authorization_ . |
code_ | The value of the oauthContext. React prop. |
client_ | Your client ID from the OAuth provider. |
redirect_ | The Stripe app’s OAuth redirect URL. |
You can use the following code example to retrieve an access token from an OAuth provider:
Set and find the access token in the Secret Store API to enable your app to store and use it in later sessions:
Add the
secret_
permission to your app:write From your app’s UI extension, set the access token in the Secret Store API:
For more information, see Set a secret.
From your app’s UI extension, find the access token in the Secret Store API:
For more information, see Find a secret.