Endpoint Discovery
You can provide endpoint URLs directly, or let Orceum discover them automatically using standard discovery protocols:- Authorization URL: The provider’s authorization endpoint, e.g.,
https://accounts.google.com/o/oauth2/v2/auth. - Token URL: The provider’s token exchange endpoint, e.g.,
https://oauth2.googleapis.com/token. - Revoke URL (Optional): Token revocation endpoint. Called automatically when a user uninstalls your app.
- OpenID Config URL (Optional): OpenID Connect discovery document URL, e.g.,
https://accounts.google.com/.well-known/openid-configuration. If provided, Orceum fetches the endpoints from here (overriding manual entries). - Authorization Server URL (Optional): OAuth 2.0 Authorization Server Metadata URL. Used as a fallback if the OpenID Config URL is not provided.
- Server URL (Optional): Base URL for the provider. Orceum will append standard paths to attempt endpoint discovery.
Client Credentials
- Client ID: Your app’s OAuth client ID from the provider.
- Client Secret: Your app’s OAuth client secret. This is stored encrypted.
Authorization Flow
- Scopes: A comma-separated list of OAuth scopes to request (e.g.,
read:user, write:data). Request only the scopes your app needs. - Use PKCE: Enable Proof Key for Code Exchange (PKCE). Recommended for public clients. When enabled, Orceum generates a
code_verifierandcode_challengepair. - Additional Auth Params: Key-value pairs added to the authorization URL query string.
- Google example (to get a refresh token on first consent): Key:
access_type, Value:offline; Key:prompt, Value:consent - Slack example (for granular user scopes): Key:
user_scope, Value:channels:read,users:read
- Google example (to get a refresh token on first consent): Key:
- Redirect URIs: You must register the following exact URI with your OAuth provider:
Token Lifecycle Overrides
Some providers deviate from the standard OAuth 2.0 token response fields. You can override what Orceum looks for:- Token Expiry Field: The field name containing the expiry value in seconds. Default is
expires_in. - Token Type Field: The field name describing the token type. Default is
token_type.
Dynamic Client Registration (DCR)
If your provider supports RFC 7591 Dynamic Client Registration, you can enable Supports Dynamic Registration. When enabled, Orceum will register your app dynamically with the provider on first connection. On success, the backend automatically securely stores your newly issuedclient_id and client_secret. You do not need to provide them manually.
Token Lifecycle Managed by Orceum
| Lifecycle Event | What Orceum Does |
|---|---|
| New installation | Redirects user → receives code → exchanges for access_token + refresh_token |
| Token nearing expiry | Automatically refreshes using refresh_token before the next action call |
App returns 401 | Attempts token refresh, retries request once |
| Refresh fails | Marks installation REAUTH_REQUIRED, prompts user to re-authenticate |
| User uninstalls | Calls revoke_url (if configured) to invalidate tokens |
Common Provider Configurations
Google
- Client ID:
xxx.apps.googleusercontent.com - Client Secret:
GOCSPX-... - OpenID Config URL:
https://accounts.google.com/.well-known/openid-configuration - Scopes:
openid, email, profile - Use PKCE: Enabled
- Additional Auth Params:
access_type:offlineprompt:consent
GitHub
GitHub
- Client ID:
Ov23li... - Client Secret:
your_client_secret - Authorization URL:
https://github.com/login/oauth/authorize - Token URL:
https://github.com/login/oauth/access_token - Scopes:
repo, read:user, notifications
GitHub access tokens do not expire by default unless you explicitly opt into expiring tokens in your GitHub OAuth app settings.
Slack
Slack
- Client ID:
1234567890.1234567890 - Client Secret:
your_client_secret - Authorization URL:
https://slack.com/oauth/v2/authorize - Token URL:
https://slack.com/api/oauth.v2.access - Scopes:
channels:read, chat:write, users:read - Additional Auth Params:
user_scope:channels:read,users:read