Setting Up an OAuth Connection

Connect to services that use OAuth for authentication.

Overview

OAuth lets you authorize Spojit to act on behalf of an account on an upstream service without sharing the account's password. Instead of pasting a key, you click through the service's own login and consent screen; the service returns an access token (and usually a refresh token) that Spojit stores in encrypted secret storage.

For OAuth connections, Spojit transparently refreshes the access token before it expires, so the connection stays alive as long as the upstream account remains authorized. If consent is ever revoked, the connection moves to a Reauthorize state and you reconnect from the same screen.

Before You Start

  • Login credentials for the account you want to connect on the upstream service.
  • Authority to grant the scopes the connector requests. For corporate Google or Microsoft accounts this may require an admin to approve the app first.
  • A browser session that is not blocking the popup or redirect back to Spojit.

Steps

  1. Go to Connections and click + Add Connection.
  2. Pick the connector from the catalog. The setup screen shows which scopes will be requested.
  3. Click Connect (or Authorize). Spojit redirects you to the upstream service.
  4. Sign in on the upstream service and review the requested scopes. Grant access.
  5. The service redirects you back to Spojit with the connection in Active state.
  6. Give the connection a descriptive name (e.g. Google Drive - Marketing) and click Save.

How Token Refresh Works

  • Access token - Short lived (typically minutes to an hour). Attached to every outbound call.
  • Refresh token - Long lived. Stored alongside the access token and used silently to fetch a new access token before the current one expires.
  • Refresh failures - If the upstream service rejects the refresh (revoked consent, deleted account, scope changes), the connection moves to Reauthorize and any workflow using it will fail until you reconnect.

Reconnecting

If a connection shows Reauthorize, or you need to grant additional scopes after the connector adds new tools, open the connection and click Reconnect. You will run through the upstream consent screen again; the connection keeps the same ID so workflows referencing it do not need to change.

Tips

  • Where possible, authorize with a dedicated service account (e.g. integrations@yourco.com) rather than a personal account, so the connection survives staff changes.
  • Once authorized, every workspace member who can build workflows can reference the connection - the credential is never exposed, only the connection ID. Prefer one shared service-account connection per provider over each teammate authorizing their own.
  • If the upstream service supports it, restrict the OAuth app to the workspaces or resources Spojit should reach.

Common Pitfalls

  • Admin approval required - Many corporate Google Workspace and Microsoft 365 tenants block third party apps until an admin approves them. The consent screen will say so explicitly.
  • Scope upgrades require reconnect - If a connector starts using a new tool that needs a scope you did not originally grant, the call fails until you click Reconnect.
  • Authorizing the wrong account - If you are signed in to multiple accounts in the same browser, the consent screen may default to the wrong one. Check the email shown before granting.
  • Revoking from the service side - Removing Spojit from the upstream account's connected apps page invalidates the refresh token immediately. The connection will need reauthorization on its next call.

Related Articles

Learn More

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.