# OAuth 2.0 authentication

Glue supports OAuth2 authentication, which is required in order to utilize the API. An OAuth2 authorization grant flow can be used to install an app to a workspace and to obtain an access token for a dedicated user associated with an app in the given workspace. For private apps, it's also possible for apps to be installed to a workspace from within the product.

Regardless of installation method, once an app is installed to a workspace, an OAuth2 token request with client credentials can also be used to obtain an access token for a given app user by providing a workspace ID. This can eliminate the burden of maintaining a single set of access and refresh tokens for each workspace that an app is installed to.

The app user tokens you obtain allow you to perform operations using a specific user associated with your app. In the future we plan to allow apps to obtain tokens for standard Glue users using an OAuth2 authorization grant flow.

{% hint style="info" %}
You must create a workspace for the purpose of managing the OAuth2 Application.
{% endhint %}

## Create an OAuth2 application

Create a new OAuth2 Application in Glue and configure the redirect callback URLs to your application.

{% hint style="success" %}
If you're having trouble finding Custom Apps, contact <support@glue.ai> to ensure Custom OAuth Apps are enabled on your workspace!
{% endhint %}

## Obtaining an access token via Client Credentials request

Custom OAuth apps are automatically added to the workspace they're created in. You can obtain an access token for the app user for that workspace by making a client credentials request to `/oauth/token` with a `subject` field containing the ID of the workspace.

```http
POST https:/api.gluegroups.com/oauth/token HTTP/1.1
```

{% hint style="info" %}
Pass parameters in body as [URL-encoded form submission](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST#url-encoded_form_submission), where the `Content-Type` header must be `application/x-www-form-urlencoded`.
{% endhint %}

| Parameter                       | Description                                                                          |
| ------------------------------- | ------------------------------------------------------------------------------------ |
| `subject`                       | (required) The workspace to obtain token for (ie: `wks_32kbzWHxtQvfVEgwEdQduuxRTYG`) |
| `redirect_uri`                  | (required) The registered redirect URL                                               |
| `client_id`                     | (required) Application's client ID                                                   |
| `client_secret`                 | (required) Application's client secret                                               |
| `grant_type=client_credentials` | (required)                                                                           |

### Response

The token you obtain will contain the workspace app user's ID. There is no refresh token in this case as you can simply obtain another token by repeating the request so long as the application is still installed.

```json
{
  "user_id": "usr_uxRTYG32kbzWHxtQvfVEgwEdQdu",
  "access_token": "00a21d8b0c4e2375114e49c067dfb81eb0d2076f48354714cd5df984d87b67cc",
  "token_type": "Bearer",
  "expires_in": 315705599
}
```

## Make an API request

Once you have obtained a valid access token, you can make a request to Glue's GraphQL API. You can initialize the [Glue Client](https://docs.glue.ai/developers/sdk) with the access token:

```typescript
const client = new GlueClient({ accessToken: response.access_token });
const me = await client.me;
```

Or pass the token as an authorization header: `Authorization: Bearer <ACCESS_TOKEN>`

```sh
curl https://api.gluegroups.com/public/graphql \
  -X POST \
  -H "Content-Type: application/json" \
  -H 'Authorization: Bearer <ACCESS_TOKEN>' \
  --data '{ "query": "{ me { id name } }" }' \
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.glue.ai/developers/authentication/oauth-2-0-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.