Getting startedSet up integrationsCreate your first initiativeInvite your teamPlan today's workShare your first update
Developer toolsMCPCLIAPI KeysREST APIJavaScriptJavaScript SDKOAuth AppsWebhooks
DocsAPI Reference

Main

  • Home
  • About
  • Pricing
  • Vault
  • Changelog
  • Docs

Features

  • Roadmaps
  • Planning
  • Standups
  • Status updates
  • Insights
  • AI assistant / MCP
  • Integrations

Solutions

  • Startups
  • Dev shops / agencies
  • Software teams
  • Internal IT & platform teams

Alternatives

  • vs Jira
  • vs Linear
  • vs Asana
  • vs Monday.com
  • vs ClickUp
  • vs Notion

Company

  • Blog
  • Security
  • Log in
  • Sign up
  • Terms of Use
  • Privacy Policy

Resources

  • Docs
  • Community
  • API reference
  • CLI
  • Desktop app
  • SDK

© 2026 One Horizon. All rights reserved

FacebookInstagramThreadsXRedditTikTokYouTubeMedium

OAuth Apps

Use OAuth Apps when your product needs a Log in with One Horizon or Connect One Horizon flow.

After a workspace member approves your app, your app receives user-scoped tokens. Use those tokens to read workspace data or take workspace actions the member is allowed to take, such as listing initiatives, creating comments, updating bugs, or starting agent sessions.

When to use OAuth

Use OAuth when your app needs a person to approve access from their own One Horizon account. This is the right model for customer-facing apps, MCP clients, agent integrations, and tools that need to show who took an action.

Use an API key when a trusted backend service or CI job should act for one workspace without a signed-in user.

NeedUse
Add Log in with One Horizon to your appOAuth app
Let users connect their workspace to your productOAuth app
Read or update data as the signed-in memberOAuth access token
Run internal automation for one workspaceWorkspace API key
Build a local or cloud agentOAuth app plus agent endpoints

App setup

Workspace admins manage apps from Settings -> Apps. A custom app can include homepage, logo, privacy policy, terms URL, callback URLs, OAuth settings, client ID, and client secret.

Public clients use PKCE directly. Confidential clients can use a client secret, and selected confidential clients can use dashboard-managed PKCE when they cannot originate PKCE themselves.

Create separate apps for production and staging so callback URLs, secrets, webhook keys, and delivery logs stay isolated.

OAuth settings

Add each callback URL that your app can return to after authorization. Keep callback URLs exact; do not rely on broad redirects.

Public clients should use PKCE and should not embed a secret. Confidential clients should store the client secret on the server only. If the app cannot originate PKCE itself, use dashboard-managed PKCE only for the clients that need it.

OAuth clients created automatically by tools such as MCP or the CLI can also appear in app management so users can inspect or revoke access.

User control

Users can review connected OAuth clients and revoke access when they no longer need an app. Revoking access stops that app from using the user's token for workspace data or actions.

OAuth apps are managed from Apps and governed by Permissions.

PreviousJavaScript SDKNextWebhooks

Related Articles

API Keys

Create and manage workspace-scoped API keys for backend services, CI, and trusted automation.

JavaScript

JavaScript SDK

Automate One Horizon from Node.js and TypeScript with generated clients and types.

MCP

Let AI assistants read and act on One Horizon work context through tools.

CLI

Install the CLI, sign in, choose a workspace, and work from your terminal.

  • When to use OAuth
  • App setup
  • OAuth settings
  • User control
  • Back to top