--- title: "Establishing an OAuth Provider" slug: "establishing-an-oauth-provider" updated: 2026-02-12T20:32:19Z published: 2026-02-12T20:32:19Z --- > ## Documentation Index > Fetch the complete documentation index at: https://documentation.decisions.com/llms.txt > Use this file to discover all available pages before exploring further. # Establishing an OAuth Provider ## Overview [OAuth](https://oauth.net/2/) is an open standard for providing secured delegated access. In short, Decisions can take actions or access resources from a server on behalf of the user without them having to share their credentials. The identity provider (IdP) can issue tokens to Decisions with the user's approval. Before using an API with OAuth, two things must first occur an **OAuth Provider** must be established, and an **OAuth Token** must be created. The following document discusses the method used to set up an OAuth Provider for proper Integration with Decisions. The following document ONLY discusses Provider setup. For information on Creating Tokens for an OAuth Integration, see [Creating OAuth Tokens.](/v9/docs/creating-oauth-tokens) --- The following discusses the required configurations for an OAuth Provider. For assistance in finding the specific parameters for an OAuth Provider, please seek documentation or Developer settings for that specific service. ## Adding a Provider To access **OAuth Settings** and create an **OAuth Token**, users must first establish an **OAuth Provider**. This setting is established in the **Manage > Integrations > OAuth > Providers** Folder by selecting the **ADD OAUTH PROVIDER** button within the Folder. ![](https://cdn.document360.io/6ef8bcc1-6489-4486-9ad1-83acff7e5df0/Images/Documentation/image-1770927886266.png) ### OAuth Provider Settings #### OAuth Provider Settings | Setting | Description | | --- | --- | | Name | Name to distinguish the OAuth provider. | | Description | A brief description or explanation of the OAuth provider. This helps users understand the purpose or functionality of the OAuth provider when configuring it within the platform. | | OAuth Version | The version of OAuth to use. **OAuth1x** - The first version of OAuth follows a different authentication Flow. **OAuth2**- The newer version is widely used for modern authentication and authorization. **Note:** Besides providing different configuration options, it is important to ensure that the selected OAuth version is compatible with the OAuth Server. For more information, see the documentation for the specific Server being integrated with or that particular Server's Settings or the Key/Token locations for the App.Though both **OAuth1x**and **OAuth2**have nearly identical Provider Setting options, selecting OAuth2 provides a few additional options for configuration. | | Token Request URL | The URL is where the platform requests a temporary token during the OAuth1 authentication process. | | Authorize URL | The URL where the platform redirects the user for authorization. Once the user grants permission, the platform receives a verifier code. | | Access Token URL | The URL where the platform exchanges the temporary token and the verifier code for a long-lived access token during the OAuth1x authentication process. | | Default Consumer Key | The default consumer key is associated with the platform. It identifies the platform when making requests to the OAuth provider. On the Microsoft OAuth side this is referred to as the Client ID or Application ID. | | Default Consumer Secret Key | It is used, along with the consumer key, to authenticate the platform with the OAuth provider. This corresponds to the Client Secret Value in OAuth. | | Get Base API URL from Authorization Response | **(****OAuth2********only)** If selected, the platform will retrieve the base API URL from the authorization response. This helps identify the API endpoints for accessing resources. | | Token Refresh URL (Optional) | **(****OAuth2********only)**If provided, the URL where the platform can request a new access token using a refresh token, allowing extended access without user re-authorization. | | Callback URL | **(****OAuth2********only)**The URL where the user is redirected after successful authorization, along with the authorization code. Example: {BasePortalURL}/HandleTokenResponse | | Use Proof Key for Code Exchange (PKCE) | **(****OAuth2********only)**If selected, the platform uses PKCE to enhance security during the authorization code exchange process. | | URL Encode Refresh Token During Refresh | **(****OAuth2********only)**If selected, the platform URL encodes the refresh token when requesting a new access token during token refresh. | | Omit Code During Refresh | **(****OAuth2********only)**If selected, the platform omits the authorization code when requesting a new access token with a refresh token during token refresh. | | Client Authentication Type | **(****OAuth2********only)**The method used for client authentication when communicating with the OAuth provider. Options: **Client Secret (POST)**, **Private Key JWT, Basic Authentication (v9.16+)** | | Private Key JWT | **(****OAuth2********only)**The platform uses a JSON Web Token (JWT) with a private key for client authentication. | | Get a Private Key from Path | **(****OAuth2********only)**The platform obtains the private key from the specified path or location. | | Private Key File | **(****OAuth2**, **JWT********only)**Upload the private key file for JWT-based authentication in the file upload area. | | Private Key Password | **(****OAuth2**, **JWT********only)**If the private key is password-protected, enter the password to access it. | | Private Key Signing Algorithm | **(****OAuth2**, **JWT********only)**The algorithm used to sign the JWT with the private key. RS256, RS384, and RS512 represent different signature strengths. | | Key Identifier (KID) | **(****OAuth2**, **JWT********only)**A unique identifier that helps match the correct key or certificate used for secure communication with the OAuth provider. | ### Client Authentication (OAuth2 only) **Client Authentication Type** controls how Decisions authenticates as the OAuth client when requesting or refreshing tokens (for example, calls made to the **Access Token URL** and **Token Refresh URL**). | Option | How credentials are sent | When to use | | --- | --- | --- | | **Client Secret (POST)** | Sends the client credentials in the token request body (for example, `client_id` and `client_secret`). | Use when the OAuth provider expects credentials in the request body. | | **Basic Authentication** (v9.16+) | Adds an HTTP `Authorization: Basic ...` header using the **Default Consumer Key** and **Default Consumer Secret Key** for token/refresh requests. | Use when the OAuth provider requires client authentication via an HTTP Basic Authorization header for token and refresh operations. | | **Private Key JWT** | Authenticates using a signed JWT (based on the configured private key) during token/refresh requests. Additional private key settings become available when this option is selected. | Use when the OAuth provider supports JWT-based client authentication and requires a signed client assertion instead of a client secret. | **Note:** OAuth providers vary in which client authentication method is accepted. If token requests fail, confirm the required method in the provider documentation (for example, whether client credentials must be sent in the request body vs. an `Authorization` header, or whether JWT assertions are required). --- ## Feature Changes | Description | Version | Release Date | Developer Task | | --- | --- | --- | --- | | Added Basic Authentication Header as a client authentication type for OAuth2. | [9.16](https://documentation.decisions.com/v99/docs/version-916x-release-notes) | October 2025 | [DT-045620] |