OAuth in Embeds

When end users connect platforms that require OAuth (like Shopify), the embed system handles the authorization flow.

Flow

1. End user initiates connection to an OAuth bridge
2. Your app calls the OAuth start endpoint
3. A popup or redirect takes the user to the platform’s authorization page
4. End user grants permissions
5. The platform redirects back to Orderly’s OAuth callback
6. The bridge status updates from oauth_pending to active
7. Your UI updates to show the connected bridge

Starting OAuth

POST /api/embed/bridges/shopify/oauth/start
Authorization: Bearer est_session-token
Content-Type: application/json
 
{
  "shopDomain": "mystore.myshopify.com"
}

This creates a bridge in oauth_pending status and returns the authorization URL. Redirect the end user to this URL (typically in a popup window).

Security

• OAuth tokens are stored securely by Orderly — end users never see raw tokens
• OAuth state parameters include a nonce and timestamp, validated on callback
• State is Base64URL-encoded and expires after 1 hour
• Tokens are scoped to the end user’s bridge instance

No Extra Configuration

OAuth flows work automatically when bridges is enabled in your embed config. The redirect URL is handled by Orderly’s OAuth callback endpoints. You don’t need to configure redirect URLs or manage OAuth credentials — that’s all handled at the platform level.