How can I authenticate requests coming from my backend to monday.com?

monday Apps & Developers
,
1

Lets say I have a webhook (server-side code) that gets called in response to an event. In this webhook I now want to call the Monday API and perform some operation e.g., reading/writing to a board. How do I authenticate my request? Reading Choosing an authentication method it seems the only way is to use Method 2: Using OAuth to issue access tokens. however when i tried to implement this there are some issues i ran into which raise some doubts.

  1. First, i will need to store the oauth token on the backend. it can be done but i have never seen such pattern before where an app stores a user’s tokens in a database. The link does say:

If your app needs to store a user’s API token or make API calls in the background, OAuth is a good option.

  1. Second, within an account there can be thousands of users (taking worst case). Storing thousands of tokens raises some red flags in my mind.

  2. Above point is maybe explained by following:
    https://support.monday.com/hc/en-us/articles/360014664060-The-monday-apps-marketplace

Note: Installing apps can only be done by an admin of the account.

So when an admin installs an app, does it automatically become available to all users under that account? And I only need to store the admin’s OAuth token? that would explain it.

what are the best practices here? is OAuath the right approach or are there alternatives? thanks.

2

Hey again Moprh!

As I understand it and with the bit of testing I did on my app, SummarizeIt to Items, if you go the OAUTH route, the token can be used for an extended amount of time and arguably more importantly, it allows your back-end code to make monday.com API calls with that token.

It’s going to come down to how your app works and what is needed. With the above, the user has to in app authenticate the use. If you’re wanting to go the more seemless route, do so.

Using seemless, you get the token from the monday.com platform when the request comes in. It will contain the data in a JWT token about the user. You can use that token to make any further API calls as that user.

In my app, we’re doing an iframe AI assistant, so we utilize the JWT and mondaySDK as mentioned in the following. But as you see, it’s noted that if your back-end needs to make api calls, you’ve gotta use the OAUTH option.

We do pass that JWT to our back-end for decoding to look up usage and setting details etc… as the JWT contain user_id, account_id, is_admin etc… so some very useful data for your back-end to use for whatever you may need.

image
image850×507 46.2 KB

Hope that helps!