OAUTH Missing State Field on Successful Auth Redirect

Hi There,

TLDR: I’m having trouble with the monday OAUTH redirect_uri (post client authorization) as the monday system does not forward the state field as per the documentation.

Currently the Oauth flow setup I have is as follows

  1. User is directed to the Monday app authrization page where the user clicks Authroize and approves the app’s scoped permissions:
    https://auth.monday.com/oauth2/authorize?client_id=<our apps client id>&state=<nonce generated by our system>&redirect_uri=https://<our app>

Note: When this authorization page loads I can see the url changes to a new format i.e.:
https://<subdomain>.monday.com/oauth2/authorize?oauth_payload_token=<jwt formatted token>
I can see the jwt token when decoded clearly contains the state nonce that was passed to monday, suggesting it has been received (for the avoidance of any doubt that it has not).

  1. When the User clicks Authorize they are redirected to the redirect_uri however monday passes the state attribute as a query string parameter without any value i.e state=. According to the Official documentation it should always be passed through when provided.

From the Monday Docs:

An arbitrary value that will be passed back to your app on approval or denial. Use a unique state parameter to avoid forgery attacks and check the value at every step of the OAuth flow. - see under state parameter in table.

I’d love it if this could be resolved quickly as it’s blocking development and is seemingly a very simple mistake in the monday system or something I’ve missed?

Kind Regards,

Hello @AlexanderCollins!

This sounds quite odd. Would you be able to send us an email to appsupport@monday.com so we can check it out more in depth and look for a solution together?

Looking forward to hearing from you :slightly_smiling_face:


Hey Matias,

It was just me putting an extra ? in the url… much happier with this outcome as I was sure there couldn’t be anything wrong with Monday’s OAUTH.

Many Thanks!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.