Documentation

OAuth 2.0 Authorization Code in GravityWP API Connector

OAuth 2.0 Authorization Code is an authentication flow that lets API Connector connect to an API without pasting a permanent token into your site.

Instead of storing a static token, you authorize access in your browser. The provider asks you to approve access, then sends you back to your site through a redirect URL (also called a callback URL) so API Connector can finish the connection.

This method is commonly used for CRMs, marketing tools, and account-based platforms that require user approval.

When to use OAuth Authorization Code

Use this authentication method when an API provider:

  • requires an OAuth app (client ID + client secret)
  • requires a registered redirect URL
  • uses a consent screen where you approve access

If the provider gives you a single static token, a Bearer Token connection is usually a better fit.

If the provider supports a “server-to-server” OAuth flow (no user consent), OAuth 2.0 Client Credentials may be the right fit.

Authentication methods in API Connector

API Connector supports several authentication methods, including OAuth 2.0 Authorization Code.

API Connector authentication method dropdown with “OAuth 2.0 (Authorization Code)” selected
API Connector supports multiple authentication methods, including OAuth 2.0 (Authorization Code).

Key terms (beginner-friendly)

Client ID
 An identifier for your OAuth app in the provider’s developer settings.

Client Secret
 A secret value for your OAuth app. Keep it private. API Connector uses it to complete the OAuth flow.

Authorization URL
 The provider URL that starts the consent screen. This is where you approve access.

Token URL
 The provider URL used to exchange the authorization code for tokens.

Scope
 A permission string that limits what the connection can access. Always use the smallest scope that fits your use case.

Redirect URL (Callback URL)
 The URL on your site that receives the browser after consent. Providers require an exact match.

PKCE
 An optional security layer that some providers recommend for OAuth 2.0 Authorization Code.

OAuth Authorization Code setup overview

In this OAuth Authorization Code setup, you’ll register a redirect URL and authorize the connection in your browser.

Most providers follow the same setup pattern:

  1. Create an OAuth app in the provider’s developer area.
  2. Copy the Client ID and Client Secret.
  3. Create an OAuth 2.0 Authorization Code connection in API Connector.
  4. Get the redirect URL that API Connector uses and register it inside the provider app settings.
  5. Authorize the connection and confirm it shows as Authorized.

Create an OAuth Authorization Code connection

Go to the API Connector settings area in your WordPress admin and add a new API connection.

Fill in the required fields using values from your API provider:

  • API Name: a label to recognize the connection
  • Base URL: the API base domain you will call
  • Authentication method: OAuth 2.0 (Authorization Code)
  • Client ID: from your provider app
  • Client Secret: from your provider app
  • Authorization URL: from your provider’s OAuth documentation
  • Token URL: from your provider’s OAuth documentation
API Connector connection editor showing Client ID, Client Secret, Authorization URL, and Token URL fields
Add an OAuth 2.0 (Authorization Code) connection by entering your provider’s Client ID, Client Secret, and OAuth URLs.

Token URL, scopes, and PKCE (Authorization Code flow)

Token URL

The Token URL is the endpoint the provider uses to exchange the authorization code for tokens. This value is supplied by the provider.

Scope (optional)

Scopes define permissions. For a read-only use case, use read scopes only.
Example scope (provider-specific): crm.objects.contacts.read

PKCE (optional)

Enable PKCE if your provider recommends it or requires it. If you are not sure, follow the provider’s OAuth setup guide.

Connection settings panel showing Token URL, Scope field, and PKCE toggle
Token URL and scopes come from the provider’s OAuth documentation. Enable PKCE only if the provider recommends or requires it.

Redirect URL for OAuth Authorization Code (callback URL)

API Connector does not show a single “callback URL” field in the connection editor.

The most reliable way to get the correct redirect URL is to start the authorization flow and copy the redirect URL used in the request.

Use this process:

  1. Save your API connection.
  2. Click Authorize (or Re-authorize).
  3. Your browser opens the provider’s consent screen.
  4. Copy the redirect_uri value from the browser’s address bar (the URL you were sent to).
  5. Paste that redirect URL into your provider app settings under Redirect URLs, Redirect URIs, or Callback URLs.

Most WordPress sites use this redirect URL format:

https://yourdomain.com/wp-json/gwpapiconnector/v1/oauth/callback

The domain changes per site. The callback path stays the same.

Example: “unverified app” warning during authorization

Some providers show an unverified app warning for development apps. This is common during testing.

Error Message Unverified App
 Some providers show an unverified app warning for development apps. This is common during testing.

Example: redirect URI mismatch error

If the provider says the redirect URL does not match, it means the redirect URL registered in the provider app settings is not an exact match for the redirect URL used in the authorization request.

Common causes:

  • http vs https mismatch
  • wrong domain (www vs non-www)
  • missing callback path segment
  • trailing slash differences
OAuth authorization failed message showing redirect URI does not match registered redirect URL
A redirect URI mismatch usually means the provider’s registered Redirect URL does not exactly match the redirect_url used during authorization.

Confirm the connection is authorized

After the redirect URL is registered correctly in the provider app settings:

  1. Click Authorize again.
  2. Complete the provider’s consent screen.
  3. Return to WordPress and confirm the connection shows as Authorized.

If access needs to be granted again later, use Re-authorize.

Common use cases

OAuth 2.0 Authorization Code is often used when connecting Gravity Forms to:

  • CRMs (contact records, deal lookups)
  • marketing platforms (subscriber or profile data)
  • account-based APIs that require user-level approval

Once authorized, the connection can be used by API feeds to run requests such as GET, POST, PATCH, or DELETE, depending on what the API supports.

Security and maintenance notes

  • Treat the client secret like a password. Keep access limited to site administrators.
  • Use least privilege scopes. If a connection only needs read access, do not request write scopes.
  • If a provider app is changed (redirect URLs, scopes, publishing status), re-authorize the connection.

Troubleshooting OAuth Authorization Code

Most OAuth Authorization Code errors come from redirect URL mismatches or missing scopes.

Redirect URI mismatch
 Copy the redirect_uri from the authorization request and register that exact value inside the provider app settings.

Scope or permission error
 Confirm scopes match the provider documentation, then save and re-authorize.

Unverified app warning
 Normal for development apps. Confirm the app details before continuing.Connection is not authorized
 Use Re-authorize and confirm the provider app is still active.

OAuth Authorization Code – FAQ

How do I find the callback URL for API Connector OAuth?

Start authorization and copy the redirect_uri used in the request, then register it in the provider.

Do I need HTTPS?

Most providers require HTTPS for production OAuth apps. Use HTTPS when available.

What should I put in the Scope field?

Use the smallest scope set that matches your use case. Providers list valid scope values in their docs.

When should PKCE be enabled?

Enable PKCE if your provider recommends or requires it.

What if scopes change later?

After updating scopes, re-authorize so the provider can apply the new permissions.

API Connector v1.1.2

For this functionality you need the GravityWP - API Connector Add-on installed.

Read more
When to use OAuth Authorization Code Authentication methods in API Connector Key terms (beginner-friendly) OAuth Authorization Code setup overview Create an OAuth Authorization Code connection Token URL, scopes, and PKCE (Authorization Code flow) Redirect URL for OAuth Authorization Code (callback URL) Example: “unverified app” warning during authorization Example: redirect URI mismatch error Confirm the connection is authorized Common use cases Security and maintenance notes Troubleshooting OAuth Authorization Code Related documentation OAuth Authorization Code - FAQ How do I find the callback URL for API Connector OAuth? Do I need HTTPS? What should I put in the Scope field? When should PKCE be enabled? What if scopes change later?
Proudly powered by WordPress
How can I help you?