Guides
API DocsCommunityNeed Help?

Manage user tokens and credentials

Suggest Edits

Using the credentials app feature, you can effortlessly connect to third-party services—minimal coding required!

Whether you're building blocks for monday workflows or integrating external APIs, this feature makes secure, scalable integrations easier than ever. The framework handles authentication flows and credential storage, so you can focus on building flexible, user-friendly solutions.

Concepts

The credentials app feature enables secure authentication between monday apps and third-party services—such as Google, Dropbox, or Slack— within monday workflows.

It manages the full OAuth 2.0 flow, including redirect handling, token exchange, and refresh support (when applicable). Once authenticated, user-specific credentials are securely stored and scoped to the app. These credentials can then be reused across multiple workflow app features, including blocks and custom fields.

Implementation

Building a credentials app feature requires setting up both your monday app and the third-party service you are integrating with. Since these two systems rely on coordination between your apps, some configurations will need to happen in parallel.

The steps below provide a high-level overview of the process, with additional details available in the Reference section:

  1. Start by creating an app for the third-party service you want to integrate with. Follow the provided instructions to set up the required settings accurately.
  2. Create an app or open an existing one in the monday.com Developer Center.
  3. Add a Credentials app feature. Learn how to create a new app feature here.
  1. After creating your monday app feature, configure your monday app's settings for each of the sections below:
SectionDescriptionNotes
Basic detailsEnter a name, description, and default field keyThis key will be automatically suggested as the default in the request payload whenever you use or select this credentials app feature within other app features.
OAuth 2.0 Redirect URLPaste this into your third-party service app’s redirect settingsYou can read more here.
Enter your application credentialsCopy and paste the client ID and client secret from your third-party service app; select if you want to include the client ID and secret in the request body or headerWe recommend keeping the default (header), as most developers won’t need to change it unless a third-party specifically requires it.
Configure OAuth endpointConfigure the authorization URL, scopes, access token request, and refresh token request from your third-party service app
Extra detailsProvide a URL to your own server to request a unique provider IDThis endpoint should return a unique provider ID, allowing monday to uniquely identify users across different services. You can read more here.
Retrieve paramsConfigure how to extract values from the access token and OAuth callback responsesThese extracted parameters will be included in the request to your unique provider identifier endpoint.
  1. Configure your credential parameters (optional).
  2. Connect the credentials app feature to your block and custom field app features to use in the workflow builder.
  3. Test your workflow blocks using these steps (optional, but recommended).
  4. Promote the draft version to live to make the feature accessible in the platform.
  5. After successful authentication, the credentials will be stored in monday.

Reference

Redirect URL

When configuring your external app, all third-party services that support OAuth 2.0 will ask for a redirect URL where they will send users after they login.

You can access this in the Developer Center after creating your monday.com credentials app feature. Alternatively, you can use the following OAuth Redirect URL: https://apps-credentials.monday.com/authorize/oauth2/redirect-uri

Provider unique identifier

Some third-party services use unique identifiers to recognize individual user connections.

👉 For example: In Gmail, the unique identifier is the user's email address.

Since there's no standard for exposing or retrieving the identifier across different services, you must provide a publicly accessible backend endpoint that we can call to retrieve it. This endpoint should verify the incoming request by checking the Authorization header against the application signing secret.

// Example: Verify Authorization header using the jsonwebtoken package

const { authorization } = req.headers;

const signingSecret = process.env.MONDAY_SIGNING_SECRET;

await new Promise((resolve, reject) => {
   jwt.verify(authorization, signingSecret, (err, decoded) => {
      if (err) {
        reject(err);
      } else {
        resolve(decoded);
      }
   });
});

After implementing your endpoint:

  1. Navigate to the Extra details section of your credentials app feature.
  2. Enter the URL of the endpoint used to retrieve the provider’s unique identifier — e.g., https://your-server

This refers to the request monday.com sends to your backend during the OAuth callback phase. After the OAuth flow is complete, we’ll call your provided endpoint to retrieve the provider’s unique identifier for the user's credentials.

We include the user's access token in this request, along with the following payload:

{
  "token": "abcs1234"
}

{  
  "userId": 123, // The ID of the user initiating the request  
  "accountId": 456, // The ID of the account associated with the request  
  "appFeatureReferenceId": 789, // The reference ID of your app feature  
  "callbackRequestedParams": {...}, // Parameters extracted from the OAuth callback  
  "tokenRequestedParams": {...}, // Parameters extracted from the token response  
  "userCredentialsParams": {...} // Optional parameters provided by the user  
}

We automatically enrich the request with the user’s access token, using the key you provided under the token key.

🚧 To ensure secure token handling while still allowing you to complete one-time, token-authenticated requests, we have the following security measures:
  • You cannot initiate requests to retrieve this access token.
  • You are not allowed to store the access token.
  • If you attempt to store it, you will only have access to the raw token string — not identifying metadata or a refresh capability.
  • The token cannot be renewed by your app.

Expected response

Your server should return the following format:

{  
  "providerUniqueIdentifier": "[email protected]", // a unique token-specific ID  
  "displayName": "Test Gmail" // the name displayed to the user in the UI  
}

Configure credential parameters

Some third-party services require user-specific information (e.g., subdomain, region, organization ID) before initiating the authentication flow. Using credential parameters, you can collect this information and define extra input fields that appear when a user sets up the integration.

👉 For example: In Salesforce, we need to know the user's subdomain to be able to interact with the correct API.

Supported types

Credential parameters support primitive data types: string, boolean, and number.

You can link a parameter to a field type that uses one of these primitive types. Parameters can also reference a primitive field type that includes static options.

How to configure

  1. You can configure credentials parameters directly in the Developer Center under your Credentials app feature. When adding a parameter, be sure to include:
  • Name: A short key used to reference the value in API calls
  • Title: A user-facing name that explains what the field is
  • Type: Choose from string, number, or boolean
  • Required: Mark whether the field is required
  1. Once configured, these parameters can be referenced inside the other credential fields through a {{parameterName}} syntax.
"authorizationUrl": {
  "type": "url",
  "value": "https://{{subdomain}}.salesforce.com/oauth2/authorize"
}
  1. When the authorization flow is initiated, we replace the parameters with user-provided input. That value is also available in the payload of your provider's unique identifier endpoint and other credential-based requests (e.g., block execution URL, and remote options).

Connect credentials app feature to other app features

You have to connect the credentials app feature to use it in the workflow builder:

Custom field for monday workflows

  1. Open your custom field app feature and navigate to the Credentials section.
  2. Click Add credentials.
  3. Select the credential from the dropdown and assign a key*.
  4. Click Add.

* 📝 Note: The key will be used in the payloads of requests made to your service (e.g., for remote options or sub-fields). It will be accessible under the credentialsValues attribute.

Integration for monday workflows

  1. Open your block app feature and navigate to the Credentials section.
  2. Click Add credentials.
  3. Select the credential from the dropdown and add a title, header (optional), subheader, and key*.
  4. Click Add.

* 📝 Note: The key will be used in the payloads of requests made to your service (e.g., for subscribe and unsubscribe or run execution). It will be accessible under the credentialsValues attribute.

Updated 22 days ago