Skip to content
Docs
flero.ai

OAuth flow

For services that use OAuth 2.0 (Slack, Google, Microsoft, Salesforce, HubSpot, …), creating a credential involves a brief hand-off to the service's authorization page. Flero handles the protocol; this page explains what you'll see.

🎬 Gif needed: credentials__oauth-handoff.gif, clicking Authorize → new tab opens to the service's consent page → user clicks Allow → tab closes → "Connected!" appears in the credential dialog. ~6 seconds.

What happens, step by step

  1. In Settings → Credentials → Add credential, pick the service, set the display name and scope, then click Authorize.
  2. A new browser tab opens to the service's OAuth consent page (e.g. accounts.google.com, slack.com/oauth/v2/authorize).
  3. Sign in to the service if you're not already signed in.
  4. The service shows a consent screen listing the permissions Flero is asking for. Review them, typical asks include:
    • Read your profile.
    • Read / write the specific resources you'll automate (messages, files, contacts, …).
  5. Click Allow (or the equivalent button).
  6. The tab redirects to a Flero callback URL, shows "You can close this tab", and closes automatically (most browsers, Safari sometimes doesn't auto-close, that's fine).
  7. Back in the credential dialog, the Authorize button turns into Connected! and the access token is now stored.
  8. Click Save.

Permissions / scopes

The exact permissions Flero requests are listed on the consent screen, and also documented on each connector's catalog page. They're scoped to what the connector actually needs, Flero doesn't ask for blanket access.

If the consent screen asks for something that surprises you, stop and read the connector's catalog page before granting. Permissions can't be narrowed after-the-fact without re-authentication.

OAuth apps and admin approval

Some services (Salesforce, Microsoft Graph, certain Google Workspace setups) require an admin to pre-approve the Flero OAuth app for your tenant. If you see "This app isn't verified" or "Admin approval required", contact your IT team, they need to enable the Flero app in their admin console.

Once approved, your authorize click goes through normally.

Refresh tokens

OAuth access tokens are short-lived (typically 1 hour). Flero stores both the access token and the longer-lived refresh token, and uses the refresh token automatically to mint new access tokens as needed. You don't need to think about this, credentials keep working.

When the refresh token itself expires (most services: 90 days of inactivity), the credential goes into "expired" status and you'll need to re-authenticate. Workflows that use the credential start failing with a clear message until you do.

Re-authentication

Edit the credential → Re-authenticate. Same flow as the initial authorize. Replaces the stored tokens; everything else (display name, scope, references in workflows) stays the same.

Revoking the connection

Two layers:

  • In Flero, Edit the credential → Revoke. Stops Flero from using it.
  • In the service, go to the service's "Connected apps" page (e.g. myaccount.google.com/permissions, Slack's app directory, Salesforce's "Connected Apps OAuth Usage") and revoke Flero's access. Belt-and-braces, particularly important if the credential was compromised.

Revoking in the service is what genuinely invalidates the tokens. Revoking in Flero only stops Flero from sending requests.

Tips & gotchas

  • Use the browser you're already signed in to the service with. Switching browser mid-flow can cause confusing "wrong account" outcomes. Verify the consent screen shows the right account email at the top.
  • OAuth state is per-credential, not per-user. A workspace-scoped OAuth credential authorizes Flero to act as the user who clicked Authorize. If that user leaves the company, the credential may stop working, rotate ownership before they go.
  • Popup blockers can stop the OAuth tab from opening. Disable for your Flero domain, or click the inline "open authorize page" link manually if the popup fails.
  • Localhost / self-hosted Flero needs an OAuth redirect URL that the external service accepts. Each connector has admin-only setup steps for self-hosted, see the connector page.

Found something out of date? This page lives in the Flero docs content set.