This section describes how public clients (iframe) authenticate using OAuth 2.0 Authorization Code with PKCE.

Important domain separation

• Client Portal Hostname: Hosts the CRM login UI and handles user interaction (e.g. /login).
• Client API Hostname: Hosts the OAuth API endpoints (e.g. /oauth/token).

You can retrieve both domains from your registered OAuth Application in CRM.

Flow summary

1. Customer Iframe postMessage to crm with PKCE parameters.
2. Authorization code is issued and returned to your iframe.
3. Your iframe exchanges the authorization code for tokens using the code_verifier.

API references

• Post Message
• Exchange authorization code for token

Previous pageLogout

Next pagePost Message