OAuth 2.0 for Client-Side Applications

If you are using a client-side application such as one written in JavaScript, it is recommended that you still use a server to store the Client ID and Client Secret and generate the access token, so that no one outside the device/server will be able to see the secret key.

Your Javascript application cannot make a POST request to Procore /oauth/token endpoint in order to get the access token. For valid domains you wish to be whitelisted so you avoid CORS issues, please send us an email listing those domains to apisupport@procore.com.