Monday App Authentication Flow

Does someone mind explaining the general flow of authenticating user’s when they open my Monday App view on their board? I understand the OAuth2.0 process of retrieving user unique API keys and have that implemented. When the user authorizes my app, I store their key in a database to use later. The problem I am having and can not find any documentation for is how to get the userID when my application loads, so I can get their API key and not send them through the OAuth2 process again.

1 Like

Hey @tsmith - we send a JWT token with every request made - this token would contain the user ID.

Essentially you should be able to decode the JWT token and get the user ID from it.

-Daniel

Thank you Daniel. This makes sense with what I have been seeing. So does that mean there is no way to make an API request from the server side on behalf of the user, since the session token sent is not an API token? Should all of the app API requests be on the client-side and the server-side is just used for data retrieval?

I can send the user through the OAuth2 authentication process when they open my board view and store their API token that way. But is there a point to that since the user already goes through the OAuth2 auth process when installing the app?

How do developers usually make api queries for their users? Client or server side? What would you recommend?

Hey @tsmith – good question. Put simply, you’ll need to implement OAuth so that you app has an access token to authenticate against our API.

Some additional context:

The initial screen that the user sees when they install an app is not an OAuth screen. It asks for an admin to authorize an app on behalf of the whole account. This lets users add your app’s features to their boards and dashboards.

OAuth, on the other hand, is a user-level authorization. It gives your app a token so it can access data in monday.com on behalf of a specific user.

Because of these different scope levels, if your app needs an API key it’ll need to use OAuth.

I am also struggling with the way I can implement Oauth to call an external google app. The documentation around how authentication works for integrations isn’t the best. I am able to get my recipe to trigger the Google auth page, but I get an invalid request every time when trying. I see that someone has created a Google sheets integration, so I know that there is a way.

Error 400: invalid_request

Required parameter is missing: response_type

There must be something simple that I am missing. I can easily test this with postman without issue.