Client OAuth Flow Introduction

This section introduces how third‑party client applications can obtain authorized access to CRM resources on behalf of a user using the OAuth 2.0 flows.

Use this document to understand the overall flow, required endpoints, and best practices to integrate securely.

When to use this

• You are building a web or mobile app that needs to access a user's CRM data.
• You want users to sign in via CRM and grant your app scoped permissions.

Prerequisites

• A registered OAuth Application in CRM with:
  • Client ID (and Client Secret for confidential clients)
  • Allowed Redirect URI(s)
  • Whitelisted application IP(s)

Security Best Practices

• Always use HTTPS
• Use PKCE for public clients (SPA/mobile)
• Keep client_secret only on secure backend servers
• Validate state on callback and match it to the original request
• Validate the token audience, issuer, expiry when using ID/Access tokens
• Store refresh tokens securely; rotate on use if supported
• Implement logout and token revocation where applicable

Next Steps

• Register your OAuth Application in CRM
• Choose a flow: Authorization Code + PKCE (recommended) or Resource Owner Password Credentials (ROPC) for trusted apps
• Configure redirect URIs and scopes
• Implement the chosen flow in your app
• Test the flow in a staging environment before going live