Introduction to OAuth 2.0
When working with the Procore API your application will access Procore on behalf of your users. Each user will need to authenticate with Procore to verify their identity and to give your application permission to use and access their data.
OAuth 2.0 is a protocol that allows third-party applications to authenticate with APIs. OAuth 2.0 facilitates two main actions - obtaining an access token through user authorization, and using that access token to make API requests. At the end of a successful OAuth 2.0 exchange, an access token that lasts for two hours is returned to your application. You will need to submit this token with each Procore API request in order to properly identify your application and access end-user data in a secure manner.
Because the Procore API supports the OAuth 2.0 protocol, your application does not need to store or transmit user account names or passwords, but instead relies on application credentials in the form of a Client ID and Client Secret that are unique to your application. The OAuth 2.0 protocol uses these credentials as part of an authorization step in which the user chooses to allow (or deny) your application access their data in Procore. Access granted to your application may be revoked at any point by the end user. The result is a more secure API for Procore end users.
If you are brand new to OAuth 2.0, we recommend you review the official OAuth 2.0 specification, as well as OAuth 2.0 Simplified by Aaron Pareki to help you come up to speed with the OAuth 2.0 protocol.