Managing OAuth Credentials and Redirect URIs


Once you have registered a new application on the Developer Portal and obtained production credentials, you can use the App Credentials section of the App Settings page to manage the Client ID, Client Secret, and OAuth Redirect URIs for your app.

Managing OAuth Credentials

Using the App Credentials section on the App Settings page you can view the Client ID for your app and reset the Client Secret as needed. You will use the Client ID, which is considered public information, to build login URLs or include in Javascript source. The Client Secret, on the other hand, must be kept confidential. In fact, your Client Secret is only visible to you once when you initially request production credentials. If your application is unable to maintain confidentiality with the Client Secret, as is the case with single-page Javascript applications or native applications, then you should not use the Client Secret. This is a common scenario with applications that implement the Implicit grant type.

Access and manage your OAuth credentials using the following steps:

  1. Log in to the Developer Portal and click the tile for the app that you want to manage OAuth credentials for.
  2. Scroll down to the App Credentials section.
  3. Now, simply click into the Client ID field to copy the key value to the clipboard, then paste that value into your source code, server config file, or other location as needed.
  4. In the event that you need to obtain a new Client Secret, click Reset Client Secret.
  5. In the confirmation dialog, click the checkbox indicating that you understand that generating a new Client Secret will revoke your previous one and all access tokens generated using it. Your Client ID will remain unchanged.
  6. Click Reset Client Secret again. Save a copy of your new Client Secret to a safe location. This is the only time you will be able to view it. If your Client Secret is lost you will need to reset it again.
  7. Click Back to return to the App Settings page.

Managing OAuth Redirect URIs

Once a user successfully authorizes your app to access their data in Procore, the Procore authorization server redirects them back to your app with either an authorization code or access token in the URL depending on the particular OAuth 2.0 grant type you have implemented. To ensure that the user's browser is directed back to the proper location, you are required to register one or more Redirect URIs for your application. The http://localhost redirect URI is registered by default when you create a new application in the Developer Portal. Use the following steps to manage existing redirect URIs, or add new ones.

  1. Log in to the Developer Portal and click the tile for the app that you want to manage redirect URIs for.
  2. Scroll down to the App Credentials section.
  3. Click into the Redirect URIs text field to edit existing URIs or enter new URIs one per line. Note that only the default http://localhost redirect URI may use http://, all other URIs must use https://.