OAuth 2.0 for Client-Side Applications


If you are using a client-side application such as one written in JavaScript, it is recommended that you still use a server to store the Client ID and Client Secret and generate the access token, so that no one outside the device/server will be able to see the secret key.

Your JavaScript application cannot make a POST request to Procore /oauth/token endpoint in order to get the access token or refresh token.

Implementing Implicit Grant Flow in Your Client-Side Application

  • Log in to the Developers Portal and create an application at https://developers.procore.com/developers.
  • Under App Credentials, set the OAuth Redirect URI.
  • To avoid potential CORS issues, please send an email to apisupport@procore.com listing those domains you wish to be whitelisted.
  • From your client-side application, construct the URL for the authorization endpoint with the proper query parameters. Note the use of ?response_type=token.
    GET /oauth/authorize?response_type=token&client_id=<client_id>&redirect_uri=<redirect>
  • Upon successful authentication, the access token is available through the URL hash.
    window.location.hash returns #access_token=<value>&token_type=bearer&expires_in=86400
  • Any following request headers should contain the access token.
    'Authorization': 'Bearer <access_token>'