Use this flow when: Your application can securely store a Client Secret (server-side applications).
Benefits: Provides both access tokens and refresh tokens for long-term access.
Redirect the user to the authorization endpoint:
GET https://www.make.com/oauth/v2/authorize
Required parameters:
client_id: Your application's Client ID
client_id
response_type: Set to code
response_type
code
redirect_uri: Pre-registered callback URL
redirect_uri
scope: Requested permissions (include openid for OpenID Connect)
scope
openid
state: Random string for CSRF protection (recommended)
state
Example URL:
https://www.make.com/oauth/v2/authorize? client_id=your_client_id& response_ty
The user:
Logs into Make.com (if not already authenticated)
Reviews and approves the requested permissions
Gets redirected to your redirect_uri with an authorization code
Callback URL format:
https://yourapp.com/callback?code=authorization_code&state=random_state_strin
Make a server-side POST request to the token endpoint:
POST https://www.make.com/oauth/v2/token
Required Parameters:
client_id: Your Client ID
client_secret: Your Client Secret
client_secret
grant_type: Set to authorization_code
grant_type
authorization_code
code: Authorization code from Step 2
Response:
json{ "access_token": "eyJ...", "refresh_token": "eyJ...", "id_token": "eyJ...", "token_type": "Bearer", "expires_in": 3600}
When the access token expires, use the refresh token:
grant_type: Set to refresh_token
refresh_token
refresh_token: Refresh token from Step 3
Last updated 8 months ago
