When to Use OAuth
Register a Client
Twenty supports dynamic client registration per RFC 7591. No manual setup needed — register programmatically:Области действия
| Scope | Доступ |
|---|---|
api | Full read/write access to the Core and Metadata APIs |
profile | Read the authenticated user’s profile information |
scope=api profile
Authorization Code Flow
Use this flow when your app acts on behalf of a Twenty user.1. Redirect the user to authorize
| Параметр | Обязательно | Описание |
|---|---|---|
client_id | Да | Your registered client ID |
response_type | Да | Must be code |
redirect_uri | Да | Must match a registered redirect URI |
scope | Нет | Space-separated scopes (defaults to api) |
state | Рекомендуется | Random string to prevent CSRF attacks |
code_challenge | Рекомендуется | PKCE challenge (SHA-256 hash of verifier, base64url-encoded) |
code_challenge_method | Рекомендуется | Must be S256 when using PKCE |
2. Handle the callback
After authorization, Twenty redirects back to yourredirect_uri:
state matches what you sent.
3. Exchange the code for tokens
4. Use the access token
5. Refresh when expired
Client Credentials Flow
For server-to-server integrations with no user interaction:Server Discovery
Twenty publishes its OAuth configuration at a standard discovery endpoint:API Endpoints Summary
| Конечная точка | Назначение |
|---|---|
/.well-known/oauth-authorization-server | Server metadata discovery |
/oauth/register | Dynamic client registration |
/oauth/authorize | User authorization |
/oauth/token | Token exchange and refresh |
| Среда | Базовый URL |
|---|---|
| Облако | https://api.twenty.com |
| Самостоятельный хостинг | https://{your-domain} |
OAuth vs API Keys
| API ключи | OAuth | |
|---|---|---|
| Настройка | Generate in Settings | Register a client, implement flow |
| User context | None (workspace-level) | Specific user’s permissions |
| Лучше всего подходит для | Scripts, internal tools | External apps, multi-user integrations |
| Token rotation | Вручную | Automatic via refresh tokens |
| Scoped access | Full API access | Granular via scopes |