OAuth
The OAuth endpoints handle the authorization code flow for connecting external services. They are not called directly by API clients — they are used by the jeriko connect CLI command and channel commands to authorize connectors.
GET
/oauth/:provider/startRedirect to the OAuth provider's consent page.
The state query parameter is required. It contains a cryptographically random token (256 bits) that expires after 10 minutes and is single-use for CSRF protection.
# 1. CLI generates state token and opens browser
jeriko connect github
# 2. Browser redirects to:
# GET /oauth/github/start?state=<random-token>
# → 302 redirect to GitHub authorization page
# 3. User approves, GitHub redirects back to:
# GET /oauth/github/callback?code=<auth-code>&state=<token>
# 4. Daemon exchanges code for access token
# 5. Connector is now authenticatedGET
/oauth/:provider/callbackOAuth callback — exchanges authorization code for access token.
On success, renders an HTML page confirming the connection and sends a notification to the originating chat. On failure, renders an error page.
Supported Providers
| Provider | Type | Scopes |
|---|---|---|
| GitHub | OAuth | repo, user, notifications |
| X (Twitter) | OAuth + PKCE | tweet.read, users.read |
| Google Drive | OAuth | drive.file |
| OneDrive | OAuth | Files.ReadWrite |
| Gmail | OAuth | gmail.readonly, gmail.send |
| Outlook | OAuth | Mail.ReadWrite, Mail.Send |
| Vercel | OAuth | user, deployments |
| HubSpot | OAuth | crm.objects.contacts.read, crm.objects.deals.read |
| Shopify | OAuth | read_products, read_orders |
| OAuth | instagram_basic, pages_show_list | |
| Threads | OAuth | threads_basic, threads_content_publish |
Security
- State tokens are single-use and expire after 10 minutes
- X/Twitter uses PKCE (Proof Key for Code Exchange) for additional security
- Secrets are never logged or exposed in error responses
- Tokens are stored securely in the daemon’s credential store