FabricFabricSDK

OAuth

Provider config, signed state, PKCE, token exchange.

OAuth 2.0 plugins declare an oauthConfig on the plugin definition:

const slackOAuthConfig: OAuthConfig = {
  providerName: 'Slack',
  authUrl: 'https://slack.com/oauth/v2/authorize',
  tokenUrl: 'https://slack.com/api/oauth.v2.access',
  scopes: ['channels:read', 'chat:write', 'users:read'],
  tokenAuthMethod: 'body',
};

The runtime exposes four primitives:

  • generateAuthUrl({ oauthConfig, clientId, redirectUri, pluginId, tenantId, stateSecret, pkce? }) — builds the auth URL with a signed state parameter.
  • signOAuthState(payload, secret) / verifyOAuthState(state, secret) — HMAC-signed state round-tripping.
  • generatePKCE() — code verifier + challenge for public clients.
  • exchangeCodeForTokens({ code, clientId, clientSecret, oauthConfig, redirectUri, pkceVerifier? }) — exchanges the code for access_token / refresh_token / expires_in / scope.

Studio OAuth flow

The Studio's plugin detail page exposes a Start OAuth button for oauth_2 plugins that calls /api/auth/start, opens the auth URL in a new tab, and uses Studio's own /api/auth/callback route to capture the code and write tokens back to the KeyStore. See Studio OAuth docs.

Webhooks

Signature verification, hook system, out-of-order recovery.

MCP server

Drive your fabric from Claude / Cursor / any MCP client.

On this page

Studio OAuth flow