OAuth 2.0
OAuth 2.0 provides token-based authentication for private integrations that require user consent and delegated access. Use OAuth for internal applications within an organization that need user-specific permissions.
OAuth is currently only available for private integrations inside an organization. That is: non-public distributable apps. OAuth integrations are not yet intended for public distribution or listing in marketplaces.
For implementation details, see the step-by-step guide on bringing OAuth into your application.
Prerequisites
Understand OAuth 2.0 basics, including:
- Authorization server
- Client application
- Resource owner
- Access token
Register your application
Register your application to receive OAuth credentials. Submit your project details using the application form. After approval, you’ll receive credentials and additional information needed to implement OAuth 2.0.
OAuth 2.0 flow
Brevo uses the OAuth 2.0 authorization code grant flow to create access tokens on behalf of users. The flow authorizes applications to access and manipulate user data, such as sending emails or updating contacts.
Flow steps
- User accesses your private integration application
- Your app loads the Brevo authentication popup window
- User authenticates with Brevo credentials (email/password, Google, or Apple)
- Your app requests an access token from the Brevo Auth Server
- The Brevo Auth Server validates the request and returns OAuth tokens:
- Access token: Bearer token included in the
Authorizationheader for subsequent API requests - Refresh token: Used to obtain a new access token when the current one expires
- Access token: Bearer token included in the
- Your app stores the credentials and proceeds to make API calls
- For each API request, the Brevo Auth Server validates the bearer token and returns the requested data
