Authorization URL Migration Guide
As part of the migration to monday workflows, the Authorization URL feature is not supported and must be replaced with the Credentials app feature or built-in authentication mechanisms.
Credentials provide:
- Secure credential storage managed by monday.com
- A consistent user experience
- Support across multiple products (Automation Builder, Workflow Builder, AI Sidekick)
- Built-in credential management (list, create, delete)
Migration Checklist
- Identify which authentication pattern your app uses
- Select the appropriate migration path
- Create a new Credentials feature (if required)
- Update your block implementations to use the new authentication method
- Test the authentication flow end-to-end
The migration wizard does not migrate Authorization URL usage automatically. You must manually complete the steps for one of these paths below.
Migration Paths
Path 1: monday.com API Authentication
Use case
You used the Authorization URL to authenticate requests to monday.com's GraphQL API.
Migration approach
Use the shortLivedToken included in the JWT Authorization header sent to your block endpoints. No Credentials feature or user connection flow is required.
Notes
- The
shortLivedTokenis valid for 5 minutes- It is included automatically in every block request
How it works
- monday.com sends requests to your block endpoints with an
Authorizationheader - Verify and decode the JWT using your app's Signing Secret
- Extract the
shortLivedTokenfrom the JWT payload - Use the token to authenticate API calls to monday.com
JWT payload structure
{
"accountId": 1825529,
"userId": 4012689,
"aud": "https://www.yourserver.com/endpoint",
"exp": 1606808758,
"shortLivedToken": "eyJhbGciOiJIUzI1NiJ9...",
"iat": 1606808458
}Example
import jwt from 'jsonwebtoken';
router.post('/your-block-endpoint', async (req, res) => {
const token = req.headers.authorization?.replace('Bearer ', '');
const payload = jwt.verify(token, process.env.MONDAY_SIGNING_SECRET);
const mondayToken = payload.shortLivedToken;
const response = await fetch('https://api.monday.com/v2', {
method: 'POST',
headers: {
Authorization: mondayToken,
'Content-Type': 'application/json'
},
body: JSON.stringify({
query: 'query { me { id name } }'
})
});
// ...handle response
});
Path 2: OAuth with Third-Party Services
Use case
You used the Authorization URL to perform OAuth authentication with external services (e.g., Google, Slack, Salesforce).
Migration approach
Use a Credentials app feature configured with OAuth. monday.com handles the OAuth flow and securely stores credentials.
- Create a credentials app feature.
- Select OAuth as the authentication type.
- Configure the OAuth settings:
- Client ID
- Client Secret
- Authorization URL (third-party service)
- Token URL
- Scopes
- Redirect URI handling
- Add the credentials field to your block's configuration
- Access the OAuth token at runtime.
Runtime example
{
"payload": {
"credentialsValues": {
"credentials-key": {
"userCredentialsId": 1231,
"accessToken": "..." // Used to make API calls to the third-party service
}
}
}
}Path 3: API Key Authentication
Use case
You used the Authorization URL to collect API keys for third-party services.
Migration approach
- Create a new Credentials app feature.
- Select API Key as the authentication type.
- Add the credentials feature to your blocks.
- Receive credential values at runtime.
Path 4: Custom or Manual Authentication
Use case
You implemented custom authentication logic that does not fit OAuth or API key patterns.
Migration approach
Use a Credentials app feature with custom field configuration. This approach is intended for advanced use cases that cannot be modeled using OAuth or API key authentication.
- Create a new Credentials app feature.
- Configure custom fields for user input.
| URL | Purpose |
|---|---|
| Credentials URL | Return the list of saved credentials |
| Authorization URL | Handle new credential creation |
| Delete Credentials URL | Remove a credential |
Updated about 12 hours ago