OAuth 2.0 Setup

This skill enables an AI agent to implement OAuth 2.0 authentication for API integrations. The agent selects the appropriate grant type for the use case—authorization code with PKCE for user-facing apps, client credentials for machine-to-machine auth, and device code for input-limited devices. It handles token storage, refresh token rotation, CSRF protection via the state parameter, and secure credential management throughout the flow.

Workflow

1. Select the appropriate grant type: Choose the OAuth 2.0 flow based on the client type. Use authorization code with PKCE for web and mobile apps where a user is present—PKCE replaces the client secret and prevents authorization code interception attacks. Use client credentials for server-to-server communication with no user context. Use device code flow for CLI tools or smart TVs where browser-based login isn't possible. Implicit flow is deprecated and should not be used.

2. Register the application with the provider: Create an OAuth application in the provider's developer console (Google, GitHub, Auth0, etc.). Configure the redirect URI precisely—mismatched URIs are the most common setup error. For PKCE flows, mark the application as a public client. Record the client ID, client secret (if applicable), authorization endpoint, token endpoint, and scopes.

3. Implement the authorization request: Construct the authorization URL with the required parameters: client_id, redirect_uri, response_type=code, scope, and a cryptographically random state parameter for CSRF protection. For PKCE, generate a random code_verifier (43-128 characters), derive the code_challenge using SHA-256, and include both code_challenge and code_challenge_method=S256 in the request. Store the state and code_verifier in the session.

4. Handle the callback and exchange tokens: When the provider redirects back with the authorization code, first verify the state parameter matches what was stored in the session. Then exchange the code for tokens by POSTing to the token endpoint with grant_type=authorization_code, the authorization code, redirect_uri, client_id, and the code_verifier (for PKCE). Parse the response for access_token, refresh_token, expires_in, and token_type.

5. Store tokens securely: Never store tokens in localStorage (XSS vulnerable) or URL parameters (logged in server access logs). Use HTTP-only secure cookies for web apps, the system keychain for desktop apps, and encrypted storage for mobile apps. Store refresh tokens server-side when possible. Record token expiration timestamps so you can proactively refresh before expiry.

6. Implement token refresh and rotation: Before each API call, check if the access token is expired or about to expire (within a 60-second window). If so, use the refresh token to get a new access token. Handle refresh token rotation—when the provider issues a new refresh token alongside the new access token, store the new refresh token and invalidate the old one. If refresh fails with an invalid_grant error, the user must re-authenticate.

Supported Technologies