Portal Guide
Connected Apps

Connected Apps

Learn how to manage third-party applications that integrate with Optare via OAuth.

What are Connected Apps?

Connected Apps are third-party applications that you've authorized to access your Optare account data. This uses OAuth 2.0 for secure, permission-based access.

Viewing Connected Apps

  1. Go to OAuth Clients or Connected Apps from sidebar
  2. See all applications with access to your account

App Information

For each connected app, you'll see:

  • App name and description
  • Permissions granted
  • Last accessed date
  • Connection date
  • Status (Connected/Disconnected)

Connecting a New App

From the App

  1. On the third-party app, click "Login with Optare" or "Connect to Optare"
  2. You'll be redirected to Optare
  3. Log in if not already logged in
  4. Review the permissions the app is requesting

Permissions Screen

The authorization screen shows:

  • App name and logo
  • Developer/publisher
  • Requested permissions:
    • Email access
    • Profile information
    • Product access
    • Organization data

Grant Access

  1. Review what the app can access
  2. Click "Authorize" to grant access
  3. Or click "Deny" to reject
  4. You'll be redirected back to the app

After Authorization

  • App appears in your Connected Apps list
  • App receives an access token
  • App can now access your permitted data

Managing App Permissions

Viewing Permissions

  1. Go to Connected Apps
  2. Click on an app name
  3. See detailed permissions:
    • Email access - Can read your email address
    • Profile access - Can read your name and picture
    • Product scopes - Can access specific products
    • Organization access - Can read org details

You Cannot Modify Permissions

Once granted, permissions cannot be partially revoked. You must:

  • Disconnect the app entirely, OR
  • Contact the app developer to reduce requested scopes, OR
  • Reconnect with new permissions

Revoking Access

Why Revoke?

  • No longer using the app
  • Security concern
  • App requesting too much access
  • Testing/development purposes

How to Revoke

  1. Go to Connected Apps
  2. Find the app in the list
  3. Click "Revoke Access" or the disconnect button
  4. Confirm the action

What Happens When You Revoke

  • ❌ App can no longer access your data
  • ❌ App's access tokens become invalid immediately
  • ✅ Your data remains intact
  • ✅ App can be reconnected later if needed

Note: Revoking doesn't delete data the app already has. Contact the app provider to delete their copy.

Creating Your Own OAuth Clients

If you're a developer building integrations:

  1. Go to OAuth ClientsCreate New Client
  2. Follow the multi-step wizard:

Step 1: Basic Information

  • Client name
  • Description (optional)
  • Client logo (optional)

Step 2: Redirect URIs

  • Add callback URLs where users return after authorization
  • Example: https://yourapp.com/auth/callback
  • Can add multiple URIs

Step 3: Allowed Origins (CORS)

  • Add domains that can make requests
  • Example: https://yourapp.com

Step 4: Allowed Scopes

  • Select what your app can request:
    • openid - Basic authentication
    • email - Email address
    • profile - Name and picture
    • Product scopes - Access to specific products

Step 5: Save Credentials

  • Client ID - Public identifier
  • Client Secret - Private key (keep secure!)

Critical: Store your Client Secret securely. Never share it or commit it to version control!

OAuth Client Management

Editing a Client

  1. Go to OAuth Clients
  2. Find your client
  3. Click "Edit"
  4. Update settings
  5. Save changes

Regenerating Secret

If your secret is compromised:

  1. Click "Regenerate Secret"
  2. Get new secret
  3. Update your application immediately
  4. Old secret stops working instantly

Disabling a Client

Temporarily disable without deleting:

  1. Toggle the enable/disable switch
  2. When disabled, all authorization requests fail
  3. Existing tokens remain valid
  4. Re-enable anytime

Deleting a Client

Permanently remove:

  1. Click "Delete"
  2. Confirm deletion
  3. All issued tokens are revoked
  4. Cannot be undone

Security Best Practices

For Users

  1. Review permissions - Only authorize apps you trust
  2. Audit regularly - Review connected apps monthly
  3. Revoke unused apps - Reduce your attack surface
  4. Check last accessed - Disconnect dormant apps

For Developers

  1. Request minimum scopes - Only ask for what you need
  2. Secure client secret - Never expose publicly
  3. Use HTTPS - All redirect URIs must use HTTPS
  4. Rotate secrets - Periodically regenerate
  5. Handle revocation - App should handle 401 errors gracefully

Troubleshooting

App not working after connecting?

  • Check if app has necessary permissions
  • Try disconnecting and reconnecting
  • Verify app is using correct scopes
  • Contact app support

Can't authorize an app?

  • Check redirect URI is correctly configured
  • Verify app is not disabled
  • Clear browser cache/cookies
  • Try different browser

"Invalid client" error?

  • Client ID may be incorrect
  • Client may be disabled or deleted
  • Contact app developer

Want to change permissions?

  • Must revoke and reconnect
  • Alternative: App developer updates requested scopes

Next Steps

Subscriptions & BillingWebhooks