OAuth 2.0
OAuth 2.0 is available to customers on Business tier plans.
See the available plans, or contact Support.
OAuth 2.0 is an online authorization standard that uses tokens to grant access to API resources like Segment’s tracking API. You can use OAuth 2.0 as a security requirement for connections to third-party tools.
Permissions
Depending on your workspace permissions, your access to OAuth apps is limited.
| Segment Role | Permission |
|---|---|
| Workspace Owner | You can view, create, and edit OAuth apps. |
| Workspace Member | You cannot view, create, or edit OAuth apps. |
| Source Admin | You can view and edit OAuth apps. You can connect and disconnect OAuth apps. You can enable or disable OAuth enforcement. |
| Source Read-only | You can only view OAuth apps. |
| Function Admin | You can view and edit OAuth apps. You can connect and disconnect OAuth apps. You can enable and disable OAuth enforcement. |
| Function Read-only | You can only view OAuth apps. |
Create an OAuth app
You must have already created a workspace in Segment to use OAuth.
To create a new OAuth application:
- Navigate to Settings > Workspace settings and select the Access Management tab.
- Select the OAuth application tab within the Access Management page.
- Click Create OAuth app.
-
Enter the configuration settings:
Settings Details Application name The name of the OAuth app. Public key Upload a public key in PEM format to authenticate through the OAuth application. You can upload a second public key after you create the OAuth application. You can create a public key by running the script: openssl rsa -in private.pem -pubout -outform PEM -out public.pemPublic key name Enter a name for your public key. Token expiration period You can choose between: 1 day, 2 days, 3 days, 1 week, 2 weeks, 3 weeks, 30 days. Scope This specifies what type of access you need for each API. See the list of supported scopes. - Click Create.
Once you create your OAuth app, you can now connect a source to your OAuth app.
Connect a source to OAuth
OAuth only supports server-side sources. See the list of supported sources.
To connect a source to OAuth:
- Navigate to Connections > Sources.
- Select the source you want to enable OAuth for.
- Go to the Settings tab of the source page and select OAuth app.
- Click Connect OAuth app.
- Select the OAuth app you want to connect the source to.
- Click Connect.
To disconnect your source from OAuth, click Disconnect.
Enable a source to OAuth
Once you’ve connected your source to OAuth, you can enable it. To enable your source:
- Navigate to Connections > Sources and select your source.
- Go to the Settings tab of the source and select OAuth app.
- Turn the toggle on for Enable OAuth.
To disable your source from OAuth, turn the toggle off for Enable OAuth.
Obtain the access token
You can obtain an access token once you create an OAuth application and enable a source to OAuth.
Access tokens are only valid within a region. The supported regional authorization servers are:
- Oregon -
https://oauth2.segment.io - Dublin -
https://oauth2.eu1.segmentapis.com
To obtain the access token:
-
Create a JWT token with the header and payload as below:
Header
{ "alg":"RS256", "typ":"JWT", "kid":"<<KID>>" }Payload
{ "iss":"<<ISS>>", "sub":"<<SUB>>", "aud":"<<AUD>>", "iat":"<<IAT>>", "exp":"<<EXP>>", "jti":"<<JTI>>" }Field Description KID The key ID of the public key in the OAuth application. ISS The identifier of the JWT issuer. SUB The OAuth application ID. IAT The epoch time in seconds when the token was issued. EXP The expiry time in seconds. This is expected to be valid only for a short duration under a minute. JTI The unique identifer for the token. -
Send a form-url-encoded
POSTrequest to the regional authorization server with the following parameters:grant_type=client_credentials client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion=<<JWT>> scope=<<SCOPE>>Field Description JWT The signed JWT token string from Step 1. SCOPE Scopes for which token is requested. See supported scopes.
To use the access token, see an example of how to use the access token in the HTTP API source.
Edit an OAuth application
To edit an existing OAuth application:
- Navigate to Settings > Workspace settings and select the Access Management tab.
- Select the OAuth application tab within the Access Management page.
- Click the application name of the OAuth application you want to edit.
- On the Overview tab you can:
- Revoke a token
- Copy the Application ID and the Public key
- Delete the OAuth application
- Select the Settings tab on the right window where you can:
- Edit the Application name
- Delete a public key
- Add a new public key
- Change the token expiration period
- Edit your scope
- Click Save changes.
Delete an OAuth app
To delete an OAuth app, you must remove all connected sources from the app.
To delete an OAuth app:
- Navigate to Settings > Workspace settings and select the Access Management tab.
- Select the OAuth application tab within the Access Management page.
- Select the App name of the OAuth app you want to delete.
- Select Delete OAuth app.
- Enter the name of the OAuth app you want to delete.
- Click Delete OAuth app.
Revoke a token
When security incidents expose access tokens, you can revoke your access token. To revoke a token:
- Navigate to Settings > Workspace settings and select the Access Management tab.
- Select the *OAuth application tab within the Access Management page.
- Select the App name with the token you want to delete.
- Enter the complete token
- Click Revoke token.
Supported sources
OAuth 2.0 currently supports these sources:
Supported scopes
OAuth 2.0 currently supports these scopes:
Tracking API scopes
tracking_api:write
Source Functions scopes
functions:write
Public API scopes
public_api:read_write
This page was last modified: 24 Jun 2024
Need support?
Questions? Problems? Need more info? Contact Segment Support for assistance!