Auth flow and WebHook integration for Custom URL (IFRAME based) apps

Hi, new Monday dev here. My app is a Custom URL (IFRAME hosted) app. Just want to confirm that the only way to do authentication for this type of app is OAuth? (i.e. Seamless auth is obviously not an option in my use case, correct?)

Along these same lines, just want to clarify the basic process I need to implement:

  • Setup my WebHook for lifecycle events
  • Configure my OAuth / Redirect URI settings
  • Configure my scopes I need to request
  • User installs/trial my app
  • I will get a WebHook notification at this point, possibly with some basic user info
  • User launches my app
  • OAuth flow starts, user authorizes the scopes I request
  • Once approved I get the user’s API token (store in my backend)
  • The WebHook lifecycle events are the only integration requests I’ll get from Monday as my users manage my app’s install/delete/cancel/renew/subscribe/etc

And, with the Monday SDK I’ll do auth/login/init using the user’s OAuth token. At that point, all requests I make via the initialized SDK will be for that user.

Is this the basic flow for an external/IFRAME app integration? Thanks

Hello there @deepdev and welcome to the community!

You can use the SDK to make your API calls if needed.

Regarding OAuth, your steps look good to me. You can read more about it here and check out an example here :smile:

As mentioned, you can use the SDK directly if you do not want to use OAuth.

I hope that helps!


1 Like

Hi, I’m proceeding with OAuth testing. Not sure what the problem is but I get a response from the token service with the error:

  (log) ControllerMonday: sending request to get token with - {"client_id":"NNNNN","client_secret":"NNNNN","redirect_uri":"MY_REDIRECT_URI","code":"NNNN"}
  (log) ControllerMonday: token response, getting access token
  (log) ControllerMonday: token response, body is - {"error":"invalid_request","error_description":"Missing client_id param"}

I’m receiving the redirect callback with the access code just fine. But, then I set all the values including “client_id” and calling and I get the response that “client_id” is missing…

I had a similar error when I first started testing OAuth for Monday apps and it was because my app settings had changed and I had to redeploy the app so that my OAuth settings had taken effect. But, my app hasn’t changed and I’ve verified the client_id and client_secret as well as the code being sent are correct.

But, at this point, I’m at a loss. I’m passing the client_id and what I thought was odd was that in the sample code that you referenced, they used this for their POST configuration:


    var authRequest = {
      url: 'THE_TOKEN_URI',
      form: {
        redirect_uri: redirect_uri + "/oauth/callback",
        client_id: client_id,
        client_secret: client_secret,
        code: code,

They’re using “form” instead of “body” to POST the data to the token service. I tried both with “body” and with “form” and get the same response. Here’s my code…

        // Call monday enpoint
        var config = {
            method: 'POST',            
            body: JSON.stringify({
                client_id: this.Env.MONDAY_CLIENT_ID,
                client_secret: this.Env.MONDAY_CLIENT_SECRET,
                redirect_uri: ControllerMonday.OAUTH_REDIRECT_URI,
                code: code     
        console.log("ControllerMonday: sending request to get token with - "+ config.body);
        var req = new Request(ControllerMonday.OAUTH_TOKEN_URI);
        var res = await fetch(req, config);      

Any ideas? Thanks

I see thanks! Yep, I think I understand now how an IFRAME can use the SDK and allow my app to auth via the SDK (sessionToken being present/available) vs having to implement OAuth and do the user/token mapping in my own backend. I got the OAuth support written this weekend so I’m going to test it and maybe just run with that for now.

But, as I get more experience and understanding of the Monday platform, I suspect just using the SDK and the JWT/sessionToken can work just as well and possibly a little easier. I guess it never hurts to implement both just so I truly understand all the pros/cons and exactly how Monday works.

Thanks again!

There are only three circumstances I know of that you need an OAuth token for:

  1. You have long running tasks that take more than the 5 minutes of the JWT/shortLivedToken.
  2. You want to offload front end tasks to a backend (maybe some sort of queue)
  3. You wish to run background tasks on a backend - such as cron jobs to get account size and subscription data.

There is a fourth, which is you have webhooks which you then execute some sort of saved configuration for, rather than using actual integration recipes. This is an anti-pattern. Though it comes up because there is no way to create an integration recipe from a front end app - only webhooks.