OAuth 2.0 Authentication


When working with the Procore Connect API your application will access Procore on behalf of your users. Each user will need to authenticate with Procore to verify their identity and to give your application permission to use and access their data.

OAuth 2.0 is a protocol that allows third-party applications to request authorization. At the end of the OAuth 2.0 flow, an expiring access token is returned to your application. This token will need to be submitted with each API request in order to identify the end user and your application.

Because Procore implements the OAuth 2.0 protocol, your application does not need to store or transmit user passwords. Access may be revoked at any point by the end user. The result is a more secure API for Procore end users.

Initial Setup

Before you can start using OAuth 2.0 with your application, you will need to Create an App in the Developer Portal. Once you finish creating your application, make a note of both your Client ID and Client Secret.

Overview of Procore OAuth 2.0 Flow

Here is a simple diagram illustrating the Procore OAuth 2.0 flow:

OAuth 2.0 Flow Overview

The basic idea here is that Procore user ‘Jim’ needs to authorize Safety App to get access to his projects in Procore. Jim will be redirected to Procore to authorize Safety App to access his projects. Once he clicks Allow, Safety App can get Jim’s project data from Procore.

Here is a detailed diagram of the OAuth 2.0 flow for web server applications:

OAuth 2.0 Flow on Web

The first step in the OAuth 2.0 flow is to redirect the user to the Procore authorization endpoint. This is the result of some action in your application, such as the user clicking 'Connect with Procore’. Your application then redirects the user to the Procore authorization page. After landing on the Procore authorization page, the user is prompted to log in and grant access to your application by clicking Allow.

Once the user grants authorization, they are redirected back to your application. Along with the redirect comes an authorization code. Your application then makes a request to Procore to exchange this authorization code for an access token. This is the token that needs to be submitted with each API request in order to identify and verify the user. To submit the token with your request, embed it in the “Authorization” header with the value “Bearer <your token>”.

The access token is set to expire in two hours. Once it expires, you will need to refresh the token. More detailed information on each of the steps is documented below.