If you're building an integration with another tool, you will likely need to implement authorization. By default, integration recipes don't require a specific authorization flow, such as OAuth. When users choose a recipe in your app, they will be immediately directed to configure the recipe sentence and add it to their board.

Authorization header

Every request from the monday server to your app will be accompanied by a JSON web token (JWT) in the Authorization header. This token will be signed by your app's Signing Secret and can be decoded to get additional metadata about the request using a library (e.g., jsonwebtoken).

The token will have this structure:

{
  "accountId": 1825528,
  "userId": 4012689,
  "aud": "https://www.yourserver.com/endpoint",
  "exp": 1606808758,
  "shortLivedToken": "SHORT_LIVED_TOKEN_HERE",
  "iat": 1606808458
}

The JWT is included every time the monday integration server sends a POST request to your integration app feature. This includes:

• Directing a user to your app's Authorization URL
• Subscribing to a custom trigger
• Unsubscribing from a custom trigger
• Calling your custom action's run URL
• Retrieving remote options for a dropdown field
• Retrieving remote field definitions for item mapping and custom entities

Short-lived API token

The JWT also contains a short-lived API key that can be used to authenticate against the monday API. The token will be valid for 5 minutes and has the same permission scopes as your app. We will not issue a short-lived token if your app's endpoints do not start with https://.

Third-party authorization

You can use one of the following options if your integration requires a third-party authorization flow (e.g., OAuth or asking for an API token):

1. Authorization URL: should be used if everyone goes through the same flow
2. Credentials field: should be used if you want to utilize the same code for workflows and the sentence builder