access_token that can be used to call the APIs using that user’s identity and permissions.
OAuth is typically used when building applications that other users install or sign in to — for example integrations or services that need to access data from multiple accounts.
This page explains the OAuth flows supported by Text:
These flows can be used to obtain an access token for calling APIs on behalf of an agent (like the Agent Chat API or the Configuration API). To authorize calls to the Customer Chat API, use customer authorization.
Which OAuth flow to choose
The OAuth flow you choose depends on how your app works and where it runs.
Use Implicit grant for browser-based apps that need to receive an
access_token directly in the redirect URL.
Use Authorization code grant for server-side apps that can securely store a Client Secret. This flow also supports refreshing tokens without requiring the user to authorize again. If your frontend app needs to receive a code instead of an access_token, use Authorization code grant with PKCE.
Use Sign in with Text to add a ready-to-use login flow to a web app using the Accounts SDK. It’s the simplest way to sign users in and obtain basic account data or an access token.
OAuth configuration rules
Token limitations
- There’s a limit of 25 access tokens per client per user account. When the limit is reached, the oldest token is automatically revoked.
- There’s a limit of 25 refresh tokens per client per user account. When the limit is reached, the oldest token is automaticaly revoked.
-
There’s a limit of 3 redirects in 30 seconds to the Text OAuth 2.1 server per client per user account. When the limit is reached, the server redirects to the error page with the
too_many_redirectserror details.
Redirect URIs
You can configure many comma-separated redirect URIs for your application. The redirect URI in the Authorization request is valid when it matches one of the URIs configured for your OAuth client. URIs are composed of several parts:- scheme (
http://,https://) - is required and must match exactly. See examples 10 and 11 in the table below. - host (
google.pl,localhost:3000, …) - a hostname or IP and an optional port; is required and must match exactly. See examples 7, 8, and 9 in the table below. - path (
/info,/test, …) - the client redirect URI path must be a substring of the authorization request redirect path; path traversals are forbidden. Optional. See examples 2, 3, 4, 5, and 6 in the table below. - query (
?size=20, …) - is forbidden. - fragment (
#paragraph) - is forbidden.
Implicit grant
Implicit grant is an authorization flow recommended for JavaScript web apps, but it works for both types: JavaScript and server-side apps. To set up your own web app, you must define the URL of the app and the list of scopes. Scopes determine which parts of a Text user’s account your app will have access to. A Text customer who enters your app URL will be asked to enter their login and password and grant the access for your app. Then, the user is redirected to your app withaccess_token included in the URL.
Implementing implicit grant
Step 1: Create an app
In Text, go to Settings → API access → OAuth clients and create a new OAuth client. Configure:- Display name - a name to identify your OAuth client
- Redirect URI whitelist - where users will be redirected after authorization
- Access scopes - permissions your app needs
- Client type - select Web app for browser-based JavaScript apps
Step 2: Redirect users to Text OAuth server
When users run your app, they should be redirected to the Text OAuth server, which can be found under this URL:Example redirection to Text OAuth server
Step 3: Get an access token from the URL
After a user authorizes the app by clicking Allow, they are redirected back to your application (to the Redirect URI you configured). The URL includes a number of parameters, including theaccess_token.
Response
Example redirection back to the app
Step 4: Use the token in API calls
Once you extract the token from the URL, your app can use it to sign requests to the Text API. Your application should store theaccess_token in localStorage or a cookie until it expires. Caching the token prevents you from redirecting the user to Text OAuth server every time they visit your app.
Code example
This sample web app makes a call to Agent Chat API to return the list of customers, which is then logged in the console. The application uses the Implicit grant to get an access token.index.html
get_customers.js
index.html with your own redirectUri (link to your app) and clientId.
Make sure to use the exact same Redirect URI you configured for your OAuth client. To use the Get Customers method, your app needs the customers:ro scope.
When everything is ready, install the app privately for your license.
Authorization code grant
Authorization code grant flow is recommended for server-side apps. Unlike web apps, they can store confidential info, such as Client Secret, on a server without ever exposing it. When a user runs your app, they are redirected to the Text OAuth server. After successful authorization, the user is redirected back to your app with a single-use authorization code. Your application then exchanges the code for an access token and refresh token using the Client Secret. From this point, the app can regenerate new access tokens without any action from the user.PKCE extension
OAuth 2.1 introduces the PKCE (Proof Key for Code Exchange) extension for the Authorization code grant flow. It allows web applications to use the Authorization code grant flow, and also, enables the possibility to use custom schema redirects, like:my_app: // (especially useful with native applications).
The Authorization code grant flow with PKCE is recommended for both web apps and server-side apps.
Since web app clients can’t store Client Secrets securely, their Authorization code grant flow with PKCE differs from the one for server-side apps.
- Web apps - Client Secret cannot be used, so it’s not mandatory; refresh tokens rotate.
- Server-side apps - Client Secret is mandatory to exchange a code for an access token and to refresh a token; refresh tokens don’t rotate.
- The client generates
code_verifierfrom the following characters:[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~". It’s between 43 and 128 characters long. - The client generates
code_challengewithcode_challenge_methodas follows:plain-code_challenge=code_verifier, when nocode_challenge_methodis present, thenplainis assumed.S256-code_challenge=b64(s256(ascii(code_verifier)))whereb64is Base64 URL encoding ands256is theSHA256hash function.
- The client sends
code_challengein the authorization request. - The server responds with the code.
- The client sends
code_verifierduring the exchange of the code for an access token. - The server performs an additional validation for
code_challengeandcode_verifier. Upon successful validation, it returns the access token.
Implementing authorization code grant
Step 1: Create and configure your app
In Text, go to Settings → API access → OAuth clients and create a new OAuth client. Configure:- Display name - a name to identify your OAuth client
- Redirect URI whitelist - where users will be redirected after authorization; only this URI can receive the code or token
- Access scopes - select the scopes your app needs (e.g.,
chats--all:roto list chats) - Client type - select Server-side app
Step 2: Redirect users to Text OAuth server
When users run your app, they should be redirected to the Text OAuth server, which can be found under this URL:prompt:consent to verify this step from the user perspective.
This step is also omitted for private server-side apps installed by Agents from the same license.
Step 3: Acquire the code
After a user authorizes the app by clicking Allow, they are redirected back to your application (to the Redirect URI you configured). The URL includes parameters, including thecode.
Response
Example redirection back to the app
Step 4: Exchange code for access token and refresh token
To exchange thecode for an access_token and a refresh_token, you need to make an HTTP POST request to the following URL:
Response
The response is a JSON with the following parameters:
Response
Refresh tokens no longer include the
us-south1: or eu-west3: prefixes.Step 5: Use the token in API calls
Once you have theaccess_token, your app can use it to authorize requests to Text APIs. Store the token securely until it expires. Caching the token prevents unnecessary redirects to the Text OAuth server.
Practical example: Listing chats
Let’s walk through a complete example. We’ll use the List Chats method from the Agent Chat API. Before you start, make sure you have:- A Text Owner or Admin account (sign up for free)
- An OAuth client configured with the
chats--all:roscope (see Step 1) - The
chats--all:roscope selected in your app - A tool to send requests (Postman, cURL, etc.)
1
Get your code
Paste your Client Id and Redirect URI in this request format, then open it in your browser while logged in:After authorization, you’ll be redirected to your Redirect URI with a If the code contains
code parameter:%3A, replace it with : (colon). Example: us-south1:k0FTiZgtBkTLnzXlatwt6Fgvpp42
Exchange code for token
Use cURL or Postman to exchange the code for an access token:You’ll receive a response with
access_token, refresh_token, and other details.3
Call the API
Use the access token to call the List Chats method. Copy the request from the API documentation and replace
<your_access_token> with your actual token.Using the refresh token
When anaccess_token expires, your app needs to acquire a new one. To do that, it has to send an HTTP POST request using the refresh_token.
Response
The response is a JSON with the following parameters:
Response
Refresh tokens no longer include the
us-south1: or eu-west3: prefixes.Revoking tokens
In some cases, a user may wish to revoke the access (the token) given to your application. The token can be either an access token or a refresh token. If it’s an access token with a corresponding refresh token, both tokens will be revoked. To revoke a token, make a DELETE HTTP request to the following URL:Response (200 OK)
Validating the access token
You can validate anaccess_token by making a GET HTTP request to the following URL:
Validate an access token
Response
Sign in with Text
The Sign in with Text flow is the easiest way to get access to basic information in Text accounts. It allows you to quickly build an app that can access that info through Accounts SDK. The Sign in with Text flow lets you:- Get access to the Text user’s email, account ID, or organization ID.
- Receive an
access_tokenthat can be used to perform API calls. - Receive a
codeusing the PKCE extension, which could be then used to obtain the account’srefresh_tokenandaccess_token.
User flow
Users start the flow by clicking the Sign in with Text button. If a user is not signed in, they’ll be asked to do that. Then, the user must give the app access to the specified parts of their Text account. Finally, the app receives anaccess_token that allows it to perform different API calls, limited to what the user agreed to in the prompt.
For example, you can display the tracking code which already includes the user’s account license number:
Tracking code
Implementing Sign in with Text
Step 1: Create a new app
In Text, go to Settings → API access → OAuth clients and create a new OAuth client. Configure:- Display name - a name to identify your OAuth client
- Redirect URI whitelist - must match the exact URL of the website where users will click Sign in with Text; the button will not work with any other URL
- Access scopes - permissions your app needs
Step 2: Include the SDK library
You can install the SDK from NPM. NPM moduleNPM module installation
NPM module import
AccountsSDK module from NPM.
Step 3: Prepare button container
Prepare the login button, which will invoke the authorization flow when a user clicks it.Prepare the button container
Accounts SDK
The Accounts SDK (@livechat/accounts-sdk) provides the classes and methods used in the Sign in with Text flow. For the full API reference — including AccountsSDK, Popup, Redirect, PKCE configuration, and response formats — see the Accounts SDK documentation.