Hey, i’m building an integration that syncs my platform with Vercel. But I have some trouble on how to get the access tokens…
I’ve created a custom integration on Vercel and managed to authenticate my app with Vercel and get an access token by providing the code I got from the OAuth2 callback. With this access token I can succesfully make requests to the REST API of Vercel.
My question is: how to get a new access token when the user wants to sync their app data to Vercel? Do I need to save the access token I got from the callback and use that? If so, how is this secure? And when does it expire?
Thanks for helping me, I am new to the Vercel API but I couldn’t find this in the docs.
Hey @siebebaree ,
Just to clarify, are you looking to use the Vercel REST API (which we also have an SDK for) which will let you manage your vercel team/projects? Or are you trying to make an authencitaion platform where Vercel is the OAuth to the app?
After some time, I need access to their projects (to do my business logic). How to authenticate my backend with the vercel API. Because the code from the callback isn’t valid anymore. Do I need to save the access token in my backend? This doesn’t seem secure?
Is this more clear? In the docs I find a lot on manual access tokens the user needs to generate themselves in the Vercel dashboard but is this really needed? I would like it to just be ‘add integration’ and that’s it.
Hey @siebebaree,
I think i follow your use case. So yes, in order to use the Vercel API (or SDK), you need a valid access token from Vercel, (typically done here).
What I am unsure of is if using the Vercel Oauth integration and the token it gives back to you for that user actually has scopes assigned to actually do things with their account.
Otherwise, yes you’d have to prompt them to make a token in our dashboard, store it securely, and use that token to execute your tasks.
I want to avoid prompting the user for a token. I’ll do it if I have to but I don’t see the point in the custom integrations if I cannot use the API when a user has given my integration access to their projects.
Is there an expiry on the access_token granted through the integration OAuth flow? There doesn’t seem to be a refresh_token or expiry time returned? There appears to be little to no documentation around how to set up OAuth for a community integration. I’ve already found the above linked (3rd party) medium article. Is that it for the official documentation here?
Nope! That document covers user self-service generation of an access token, not access tokens generated from installing a community integration, which my question is specifically about.
