client_secret. This is a server-side integration: all token exchanges must happen on your back-end. The client_secret must never be exposed in browser code, mobile app binaries, or any environment the end user can inspect.
Before continuing, you need a client_id and client_secret. See Register your app.
How it works
Redirect the user to the authorization endpoint
Your server builds the authorization URL and redirects the user’s browser to it.
User logs in and approves
The user selects a workspace and reviews the requested scopes on the Vendaze consent screen.
They can only approve or deny access in full, with no option to select individual scopes.
Receive the authorization code
Vendaze redirects the browser back to your
redirect_uri with a short-lived code.Exchange the code for tokens
Your server exchanges the code for an
access_token and refresh_token via a back-end request.Step 1 - Redirect the user
Build the authorization URL and redirect the user’s browser to it. This must be a browser navigation, not a server-side HTTP request. Do not usefetch, axios, curl, or any HTTP client to call this endpoint. The user must be redirected so they can log in and approve access on the Vendaze consent screen.
| Parameter | Required | Description |
|---|---|---|
client_id | Yes | Your app’s client ID. |
redirect_uri | Yes | Must exactly match a registered URI. |
response_type | Yes | Must be code. |
state | No | Random string you generate. Returned unchanged. Strongly recommended to prevent CSRF. |
Step 2 - User authorizes
The user selects a workspace and reviews the requested scopes on the Vendaze consent screen. They can only approve or deny access in full, with no option to select individual scopes. No action required on your side during this step.Step 3 - Handle the callback
After approval, the user is redirected to yourredirect_uri:
state matches what you stored, then proceed to exchange the code. If the user denies authorization:
error parameter and show an appropriate message to the user.
Step 4 - Exchange code for tokens
This request must be made from your server, never from the browser.| Field | Description |
|---|---|
access_token | Use this in every API request. Expires in 1 hour. |
refresh_token | Use this to get a new access token. Valid for 60 days if used regularly. |
token_type | Always Bearer. |
expires_in | Seconds until the access token expires. Always 3600. |
workspace_slug | Slug of the workspace the user authorized. Use this to identify the connected account in your app. |
Token storage
Store both tokens securely on your server. The following practices apply:access_token: short-lived (1 hour). Store in memory or a fast cache. Never in localStorage or cookies accessible to JavaScript.refresh_token: long-lived (60 days). Store encrypted in your database, associated with the user and workspace. This is the credential that allows you to maintain access without user interaction.- Never log either token. Never include them in URLs or query strings.
- Never expose them in API responses to your own front-end. Your front-end should call your back-end, which calls Vendaze.
Step 5 - Make API calls
Include theaccess_token in every request as a Bearer token:
Step 6 - Refresh the access token
Access tokens expire after 1 hour. Refresh them using the refresh token before the expiry, or reactively when you receive atoken_expired error.
refresh_token is issued on every refresh and the previous one is immediately invalidated.
Refresh tokens expire if unused for 60 days. Each time you use a refresh token, the 60-day window
resets. If a refresh token expires, the user must go through the full authorization flow again.
Revoking access
To disconnect a workspace from your app, revoke the access token:Next: Make your first request to use your access token in a real API call.