# OAuth

This section explains how to set up an OAuth 2.0 authorization flow with Ellipsis Drive.

OAuth allows your application to obtain delegated access to a user’s account without handling their credentials directly.

The flow results in:

* an **access token** (used to make API requests)
* a **refresh token** (used to obtain new access tokens over time)

***

#### Supported flow

Ellipsis Drive supports the **Authorization Code grant type**, with optional **PKCE** for enhanced security.

PKCE is recommended for:

* single-page applications
* mobile apps
* native applications

***

### Setup steps

#### 1. Register your application

Go to [Account settings](https://app.ellipsis-drive.com/account-settings/profile) → **Developer settings** and register a new OAuth client.

You will need to provide:

* a callback URL (redirect URI)

After registration, store your:

* client ID
* client secret

<figure><img src="/files/4OmHF5JCdTs8LQUxU5QT" alt=""><figcaption></figcaption></figure>

#### 2. Redirect user to authorization endpoint

In your application, direct the user to the [authorization endpoint](https://docs.ellipsis-drive.com/developers/api-v3/oauth/authorization).

This will redirect the user to Ellipsis Drive, where they can grant access to your application.

#### 3. Receive authorization code

After the user grants access, they are redirected back to your callback URL.

The callback request will include an authorization code as a parameter.

#### 4. Exchange code for tokens

Your backend should [exchange the authorization code](https://docs.ellipsis-drive.com/developers/api-v3/oauth/authorization-code-variant) for:

* an access token
* a refresh token

Store the refresh token securely in your backend so you can create another access token for the user at a later time if needed.

#### 5. Use the access token

Use the access token to make authenticated requests to the Ellipsis Drive API.

#### 6. Refresh tokens when needed

When the access token expires, [use the refresh token](https://docs.ellipsis-drive.com/developers/api-v3/oauth/refresh-token-variant) to obtain a new access token.

This allows users to stay connected without re-authorizing.

***

{% hint style="warning" %}

### Important considerations

* Access tokens are short-lived and should not be stored long-term
* Refresh tokens should be stored securely on the backend
* Do not expose tokens in client-side code or URLs
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ellipsis-drive.com/developers/api-v3/oauth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.