Skip to Content
Developer DocsOAuth appsOverview

OAuth apps let you build integrations that other RevRoute users can install — for example a Zapier-style connector, a Notion sidebar, or a mobile companion app. Instead of asking users to paste a personal API key into your app, they click Authorize and RevRoute issues your app a scoped access token on their behalf.

If you’re building a script that only talks to your own workspace, use a personal API key — OAuth is overkill.

Public vs private apps

RevRoute supports the two OAuth 2.0 client profiles defined by RFC 6749  and RFC 7636 :

Private (confidential)Public
Where it runsA backend you controlBrowser, mobile, desktop app
Has a client_secretYes — never expose itNo — secret cannot be stored safely
FlowAuthorization codeAuthorization code + PKCE
Token storageServer-side databaseSecure storage on the device
Refresh tokensYesYes (rotated on each use)
⚠️

Marking a client as “public” disables client_secret. If your integration runs even partially in a browser or mobile app — choose public and use PKCE. Embedding a client_secret in shipped code is a security incident.

Endpoints

All OAuth endpoints live under https://api.revroute.ru:

PurposeEndpoint
Start the user-facing flowGET https://app.revroute.ru/oauth/authorize
Exchange a code for tokensPOST https://api.revroute.ru/oauth/token
Refresh an access tokenPOST https://api.revroute.ru/oauth/token (grant refresh_token)
Read the authorized userPOST https://api.revroute.ru/oauth/userinfo

Token lifetimes

TokenDefault lifetimeFormat
Authorization code2 minutesSingle-use
Access token2 hoursdub_access_token_...Bearer header
Refresh token120 daysRotated on every refresh

Refresh tokens are rotated — every call to /oauth/token with grant_type=refresh_token returns a new refresh token and invalidates the previous one. Persist the latest one or the next refresh will fail.

Identifiers

When you create an app at /<workspace>/settings/oauth-apps you receive:

  • client_id — public, prefixed dub_app_...
  • client_secret — only shown once at creation (private apps only), prefixed dub_app_secret_...
  • One or more redirect_uri values — exact-match check on the authorize endpoint

You can rotate the secret at any time; the old secret keeps working for 24 hours to allow zero-downtime rotation.

Next steps

Quickstart

A working authorization-code example end to end.

Scopes

Every scope your app can request, and what it grants.

PKCE

The flow public clients (SPA, mobile) must use.

API errors

Error codes returned by the token endpoint.

Last updated on