Xano Documentation
  • 👋Welcome to Xano!
  • 🌟Frequently Asked Questions
  • 🔐Security & Compliance (Trust Center)
  • 🙏Feature Requests
  • 💔Known Issues
  • Before You Begin
    • Using These Docs
    • Where should I start?
    • Set Up a Free Xano Account
    • Key Concepts
    • The Development Life Cycle
    • Navigating Xano
    • Plans & Pricing
  • The Database
    • Designing your Database
    • Database Basics
      • Using the Xano Database
      • Field Types
      • Relationships
      • Database Views
      • Export and Sharing
      • Data Sources
    • Migrating your Data
      • Airtable to Xano
      • Supabase to Xano
      • CSV Import & Export
    • Database Performance and Maintenance
      • Storage
      • Indexing
      • Maintenance
      • Schema Versioning
  • 🛠️The Function Stack
    • Building with Visual Development
      • APIs
        • Swagger (OpenAPI Documentation)
      • Custom Functions
        • Async Functions
      • Background Tasks
      • Triggers
      • Middleware
      • Configuring Expressions
      • Working with Data
    • Functions
      • AI Tools
      • Database Requests
        • Query All Records
          • External Filtering Examples
        • Get Record
        • Add Record
        • Edit Record
        • Add or Edit Record
        • Patch Record
        • Delete Record
        • Bulk Operations
        • Database Transaction
        • External Database Query
        • Direct Database Query
        • Get Database Schema
      • Data Manipulation
        • Create Variable
        • Update Variable
        • Conditional
        • Switch
        • Loops
        • Math
        • Arrays
        • Objects
        • Text
      • Security
      • APIs & Lambdas
        • Realtime Functions
        • External API Request
        • Lambda Functions
      • Data Caching (Redis)
      • Custom Functions
      • Utility Functions
      • File Storage
      • Cloud Services
    • Filters
      • Manipulation
      • Math
      • Timestamp
      • Text
      • Array
      • Transform
      • Conversion
      • Comparison
      • Security
    • Data Types
      • Text
      • Expression
      • Array
      • Object
      • Integer
      • Decimal
      • Boolean
      • Timestamp
      • Null
    • Environment Variables
    • Additional Features
      • Response Caching
  • Testing and Debugging
    • Testing and Debugging Function Stacks
    • Unit Tests
    • Test Suites
  • CI/CD
  • File Storage
    • File Storage in Xano
    • Private File Storage
  • Realtime
    • Realtime in Xano
    • Channel Permissions
    • Realtime in Webflow
  • Maintenance, Monitoring, and Logging
    • Statement Explorer
    • Request History
    • Instance Dashboard
      • Memory Usage
  • Building Backend Features
    • User Authentication & User Data
      • Separating User Data
      • Restricting Access (RBAC)
      • OAuth (SSO)
    • Webhooks
    • Messaging
    • Emails
    • Custom Report Generation
    • Fuzzy Search
    • Chatbots
  • Xano Features
    • Snippets
    • Instance Settings
      • Release Track Preferences
      • Static IP (Outgoing)
      • Change Server Region
      • Direct Database Connector
      • Backup and Restore
      • Security Policy
    • Advanced Back-end Features
      • Xano Link
      • Developer API (Deprecated)
    • Metadata API
      • Master Metadata API
      • Tables and Schema
      • Content
      • Search
      • File
      • Request History
      • Workspace Import and Export
      • Token Scopes Reference
  • Xano AI
    • Building a Backend Using AI
    • Get Started Assistant
    • AI Database Assistant
    • AI Lambda Assistant
    • AI SQL Assistant
    • API Request Assistant
    • Template Engine
    • Streaming APIs
  • AI Tools
    • MCP Servers
      • Connecting Clients
      • MCP Functions
  • Xano Transform
    • Using Xano Transform
  • Xano Actions
    • What are Actions?
    • Browse Actions
  • Team Collaboration
    • Realtime Collaboration
    • Managing Team Members
    • Branching & Merging
    • Role-based Access Control (RBAC)
  • Agencies
    • Xano for Agencies
    • Agency Features
      • Agency Dashboard
      • Client Invite
      • Transfer Ownership
      • Agency Profile
      • Commission
      • Private Marketplace
  • Enterprise
    • Xano for Enterprise
    • Enterprise Features
      • Microservices
      • Tenant Center
      • Compliance Center
      • Security Policy
      • Instance Activity
      • Deployment
      • RBAC (Role-based Access Control)
      • Xano Link
  • Your Xano Account
    • Account Page
    • Billing
    • Referrals & Commissions
  • Troubleshooting & Support
    • Error Reference
    • Troubleshooting Performance
      • When a single workflow feels slow
      • When everything feels slow
      • RAM Usage
      • Function Stack Performance
    • Getting Help
      • Granting Access
      • Community Code of Conduct
      • Community Content Modification Policy
  • Special Pricing
    • Students & Education
    • Non-Profits
  • Security
    • Best Practices
Powered by GitBook
On this page
  • OAuth vs JWE Token Authentication
  • The OAuth Flow
  • Building OAuth in Xano

Was this helpful?

  1. Building Backend Features
  2. User Authentication & User Data

OAuth (SSO)

Last updated 3 months ago

Was this helpful?

OAuth is a security framework that allows you to grant websites or applications access to your information without sharing your password. It acts like a permission slip, letting a service access part of your data from another service on your behalf. For example, you might log into a new app using your Google or Facebook account, and OAuth handles the secure sharing of your data between the services.

OAuth vs JWE Token Authentication

OAuth is like giving a valet key to a friend, allowing them limited access to your car. It lets services share your data safely without sharing your password. You're still in control, and you can revoke this access at any time.

JWE Token Authentication is more like using a sealed envelope. Your information is encrypted and can only be read by the intended recipient. It ensures data integrity and privacy but doesn't manage who has access like OAuth does. It's great for situations where secure data transmission is key.

The OAuth Flow

  1. Client Registration: The client application registers with the OAuth service provider to obtain a client ID and client secret, which are used to identify the application during the OAuth flow.

  2. User Authorization: The client redirects the user to the authorization server where the user logs in and consents to the application's data access request. This is where the user would see a Google, Facebook, X, or other sign-in option on your frontend.

  3. Authorization Grant: Once the user signs in and approves access, the authorization server issues an authorization grant to the client, typically in the form of a code sent via a URL query parameter. This would be one of your APIs in Xano that is designed to ingest that authorization.

  4. Access Token Request: Your Xano API sends a request to the authorization server's token endpoint, including the authorization grant and credentials (client ID and secret), to obtain an access token. Once we've determined that token is valid, it will be traded for a Xano JWE token to proceed with standard authentication methods.

  5. Access Token Response: The authorization server verifies the request and returns an access token, which the client can use to access protected resources on the user's behalf.

  6. Access Resource: The client uses the access token to make requests to the resource server, accessing the user's resources as allowed by the token's scope.

Building OAuth in Xano

1

Enable Marketplace access in your workspace

If you don't see Marketplace in your left-hand navigation menu, head to your workspace settings, and click the icon in the top-right corner, and click Settings.

Check the box to Enable Marketplace

2

Access the Marketplace and browse for your OAuth extension of choice

Xano provides several prebuilt OAuth flows that you can import from here into your workspace.