OAuth Apps
OAuth is configured on a custom app. Create the app in Settings -> Apps, add OAuth settings, then use that app for Log in with One Horizon, Connect One Horizon, or user-approved API access.
After a workspace member approves your app, your app receives user-scoped tokens. Those tokens can read workspace data or take workspace actions the member is allowed to take, such as listing initiatives, creating comments, updating bugs, or starting agent sessions.
View OAuth login example
Add login to a custom app
Building a custom app that needs login or workspace connection starts here. The Custom App page explains the larger integration shape; this page covers OAuth settings, callback URLs, client credentials, PKCE, and token handling.
OAuth fits customer-facing apps, MCP clients, agent integrations, and tools that need actions tied to the signed-in member. An API key fits trusted backend services and CI jobs that act for one workspace without a signed-in user.
| What you are building | Setup |
|---|---|
| Add Log in with One Horizon to your product | Custom app with OAuth |
| Let users connect a workspace to your product | Custom app with OAuth |
| Read or update data as the signed-in member | OAuth access token |
| Run internal automation for one workspace | Workspace API key |
| Build a local or cloud agent | Start with Agent workflows |
Create the app
Workspace admins manage custom apps from Settings -> Apps. Add the app identity users see during consent: name, logo, homepage, privacy policy, and terms URL. Then configure callback URLs, OAuth settings, client ID, and client secret.
Public clients use PKCE directly. Confidential clients can use a client secret, and selected confidential clients can use dashboard-managed PKCE when they cannot originate PKCE themselves.
Create separate apps for production and staging so callback URLs, secrets, webhook keys, and delivery logs stay isolated.
OAuth settings
Add each callback URL that your app can return to after authorization. Keep callback URLs exact; do not rely on broad redirects.
Public clients should use PKCE and should not embed a secret. Confidential clients should store the client secret on the server only. If the app cannot originate PKCE itself, use dashboard-managed PKCE only for the clients that need it.
OAuth clients created automatically by tools such as MCP or the CLI can also appear in app management so users can inspect or revoke access.
Example app
The OAuth login example is a server-side TypeScript app. It sends users to One Horizon, verifies the callback with state and PKCE, exchanges the code on the server, and keeps the client secret and tokens out of browser code.
User control
Users can review connected OAuth clients and revoke access when they no longer need an app. Revoking access stops that app from using the user's token for workspace data or actions.
OAuth apps are managed from Settings -> Apps and governed by Permissions.