Set up to authorize users

When users connect their Snyk account to your App, they must authorize access to their chosen Organization or Group and approve the requested scopes. This process starts when you direct users to the Snyk Apps authorization web page and pass the appropriate parameters: https://app.snyk.io/oauth2/authorize?response_type=code&client_id={clientId}&redirect_uri={redirectURI}&scope={scopes}&nonce={nonce}&state={state}&version={version}

The current version can be found in the Snyk OAuth2 API documentation.

The scopes and the redirect_uri must match what was defined when the App was created.

The state value is used to carry any App-specific state from this /authorize call to the callback on the redirect_uri (such as a user’s id). It must be verified in your callback to prevent CSRF attacks.

The nonce value is a highly randomized string stored alongside a timestamp on the app side before calling /authorize, then verified on the returned access token. For more information see The OAuth 2.0 Authorization Framework Access Token Types.

After the connection is complete, the user is redirected to the specified redirect URI with query string parameters code and state added on, which are necessary for the next step.