OAuth 2.0 - Authorization Code
OAuth 2.0 with Authorization Code Grant
The OAuth 2.0 Authorization Code Grant is a secure authentication method designed for applications that require delegated access to user resources. This flow is commonly used by web and mobile applications that need to authenticate users and obtain an access token to act on their behalf.
In this flow, the user is redirected to the authorization server (your application) to grant permissions. Once authorized, the server provides an authorization code, which the application exchanges for an access token.
After obtaining the access token, the application can use it to authenticate API requests on behalf of the user. If the access token expires, the application may use a refresh token (if provided) to obtain a new one, avoiding the need for reauthentication.
Helpful Information:Callback URL: https://<org>.moveworks.com/auth/oauthCallback
- I.e.: https://acme.moveworks.com/auth/oauthCallback
- To find your org information:
- Go to Agent Studio
- Copy the base url
- Add /auth/oauthCallback to the end
- To set this up, choose
Oauth2
from the **Auth Config ** dropdown list. - Then choose,
Authorization Code Grant
from the Oauth2 Grant Type drop down - Required Info:
Authorization URL
: The authorization endpoint for the third-party system. This is obtained from the third-party system's API documentationClient ID
: The Client ID generated from the third-party OAuth application.Client Secret
: The Client Secret generated from the third-party OAuth application.Authorization Code Grant Scope
: The scopes that you wish this connector to have access to. This is obtained from the third-party system's API documentation.Oauth2 Token Url
: The token endpoint for the third-party system. This is obtained from the third-party system's API documentation.
- Recommended Info:
Revoke URL
: The revocation endpoint for the third-party system. This will allow end-users to revoke their tokens. This is obtained from the third-party system's API documentation and is highly recommended.Instructions URL (Optional)
: This URL will be shown to end-users in the case of revocation failing. We recommend putting instructions for end-users to revoke tokens inside of the third-party itself here.Authorization Code Grant Revoke Access Token Options Revoke Access Token Authentication
Revocation token key
: The name of the key that the revocation endpoint would use when sending the access token. We use 'token' by default.
- If needed, you can leverage Oauth2 Custom Oauth Request Options Additional Request Data to send additional body data needed for the request.
Data is sent in x-www-form-urlencoded format in the body like so: JSON

This feature is still in Limited Preview.
See the latest in our community post. As this is a limited preview product, we have the following limitations:
- Display Name and Display Description. You are currently unable to self-serve providing the display name and display description. This is what end users would see when giving consent. Please reach out to your Moveworks customer success team to set this up if you are in our limited preview program.
- Log Reduction Behavior. To maintain proper security standards, any customer in our limited preview program will have the following behavior by default:
- All plugins launched to more than 10 users will be enforced to have strict log reduction. If a developer wants to debug a plugin launched to more than 10 users, they would have to:
- Unlaunch the plugin and launch to only 10 users.
- Reproduce the error
- View the logs
- Fix the issue
- After doing so, they can republish the plugin to more than 10 users which will then enforce strict log reduction.
- All plugins launched to more than 10 users will be enforced to have strict log reduction. If a developer wants to debug a plugin launched to more than 10 users, they would have to:
Customers who wish to use this feature must add all their end users to the My Moveworks SSO. This step is essential because it grants end users access to the connections page, where they can provide consent to connect with third-party systems and subsequently utilize plugins. This setup is necessary to ensure a secure implementation of OAuth 2 using the Authorization Code grant type.
End users with access to My Moveworks SSO will not have visibility into developer or admin-facing products unless they have the appropriate roles or permissions. For detailed instructions on adding users to the MyMoveworks SSO, please refer to our SSO documentation: https://help.moveworks.com/docs/sso#/
Updated 2 days ago