OAuth 2.0 API Documentation

OAuth 2.0 API Documentation

Overview

RepairDesk supports OAuth 2.0 Authorization Code Grant to allow third-party applications to securely access RepairDesk data on behalf of users.

OAuth 2.0 ensures that:
- Users explicitly consent before any data access
- Client credentials remain secure
- Access can be revoked at any time

This documentation explains how to register an application, obtain access tokens, and securely interact with protected RepairDesk APIs.


OAuth 2.0 Grant Type

RepairDesk uses the Authorization Code Flow, which is recommended for server-side and confidential client applications.

Best suited for:
- Web applications
- Backend services
- Mobile apps with secure backends


Key Concepts

Client ID

- Public identifier for your application

- Used during authorization requests

Client Secret

- Confidential credential issued to your application

- Used when exchanging authorization codes or refreshing tokens

- Must never be exposed in client-side code or public repositories

Redirect URI

- The URL where RepairDesk redirects users after authorization

- Must exactly match the URI registered during app creation

- Used as a security validation mechanism

Registering Your Application

1

Log in to RepairDesk as a Super Admin.

2

Navigate to Store Settings > Store > API Access page.

3

Click Create OAuth Client and provide the following details: Application Name, Application Type (Web, Mobile, etc.), Redirect URI, and Store (select the store this application belongs to).

Create OAuth Client details form
4

Click Create OAuth Client.

5

Copy and securely store Client ID and Client Secret.

Client ID and Client Secret

API Endpoints

Base URL

https://api.repairdesk.co/v1/oauth2

1. Authorization Endpoint

Request user consent and receive an authorization code.

Endpoint

GET /v1/oauth2/authorize

Query Parameters

Parameter

Required

Description

client_id

Your application Client ID

redirect_uri

Must match the registered Redirect URI

response_type

code



Example Request

GET https://api.repairdesk.co/v1/oauth2/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=YOUR_REDIRECT_URI
  &response_type=code
  &state=RANDOM_STRING

Behavior

  • User is redirected to their tenant-specific RepairDesk domain

  • User must have access to the same store for which the application is registered.

  • User approves or denies access

  • On approval, RepairDesk redirects back to the Redirect URI with an authorization code

Redirect Response

Img Ref: Consent Page

Consent Page

2. Token Endpoint

Exchange authorization codes or refresh tokens for access tokens.

Endpoint

POST /v1/oauth2/token

Authorization Code Grant

Request Body

{
  "grant_type": "authorization_code",
  "code": "AUTHORIZATION_CODE",
  "redirect_uri": "YOUR_REDIRECT_URI",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Refresh Token Grant

Request Body

{
  "grant_type": "refresh_token",
  "refresh_token": "YOUR_REFRESH_TOKEN",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Token Response

{

  "access_token": "ACCESS_TOKEN",
  "refresh_token": "REFRESH_TOKEN",
  "expires_in": 3600,
  "token_type": "Bearer"
}

3. Revoke Token Endpoint

Invalidate access or refresh tokens.

Endpoint

POST /v1/oauth2/revoke

Request Body

{
  "token": "TOKEN_TO_REVOKE",
  "token_type_hint": "access_token",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Use this endpoint when:

1

User disconnects your app

2

Credentials are compromised

3

Tokens are no longer needed


OAuth 2.0 Flow Summary

Step 1: Request Authorization Code

Redirect user to the authorization endpoint

User grants consent on their RepairDesk tenant

Receive authorization code

Step 2: Exchange Code for Tokens

Send authorization code to the token endpoint

Receive access and refresh tokens

Step 3: Access Protected APIs

Include the access token in API requests

Step 4: Refresh Token (Optional)

Use refresh token when access token expires


Using Protected Endpoints

Include the access token in the Authorization header:

Authorization: Bearer YOUR_ACCESS_TOKEN

Example Request

GET https://api.repairdesk.co/v1/customer/customerlist
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Token Lifecycle

  • Access Token validity: 3600 seconds (1 hour)

  • Refresh Token: 1 Month

  • Tokens can be revoked at any time

Security Best Practices

  • Never expose Client Secret in frontend code

  • Always use HTTPS

  • Validate Redirect URIs strictly

  • Store tokens securely (encrypted storage)

  • Refresh tokens before expiration

  • Revoke tokens when access is no longer required

Common Error Codes

Error Code

Description

invalid_request

Missing or invalid parameters

invalid_client

Invalid client credentials

unauthorized_client

Client not authorized for this grant type

unsupported_grant_type

Grant type not supported