If you need additional assistance, please reach out to your Ironclad support representative.
What is OAuth 2.0?
OAuth 2.0 is a technology that lets you give permission to one website or app to access your data on another website or app, without sharing your password or token credentials. This way, you control what information is shared and can revoke access at any time, making it a safe way to use different services together. In the Ironclad API, it is used to authorize an app or integration to access Ironclad data and authenticate API requests. OAuth 2.0 is an alternative, more secure protocol, inline with industry standards, compared to legacy access tokens.
How would we use it at my company?
OAuth 2.0 can be used to authenticate your integrations or scripts into the Ironclad API so that your API requests are accepted by our system as legitimate requests with access to your data (and then be able to tie those requests back to a specific user for audit and reporting purposes).
What is the Authorization Code grant?
There are multiple ways (called "grants") to use OAuth 2.0 to authorize and authenticate API requests. The OAuth 2.0 Authorization Code grant is a way for individual users to give one website or app permission to access your information in Ironclad, without sharing credentials directly. Here's how it works in simple terms:
- Start Sign-In: When you try to connect an app or integration to Ironclad, the app redirects you to Ironclad to sign in.
- Give Permission: After you log in, Ironclad asks if you want to allow the app to access select information.
- Authorization Code: If you agree, Ironclad sends a special code back to the app.
- Access Granted: The app uses this code to get a token from Ironclad to get the information it needs from the Ironclad API to enable the integration functionality.
This process ensures that your credentials stay private and you only share the information you choose. It's like giving a trusted friend a key to your house without giving them your alarm code.
What is the Client Credentials grant?
There are multiple ways (called "grants") to use OAuth 2.0 to authorize and authenticate API requests. The OAuth 2.0 Client Credentials grant is a way for an app to securely access Ironclad data on its own, without needing a user to explicitly log in and grant access. This is often used for integrations that don't have web interfaces. Here's how it works in simple terms:
- Application Needs Access: An app or integration, needs to get information from Ironclad, like contract status.
- Get Credentials: The app has its own set of login details (credentials) given after registering the app in Ironclad.
- Request Access: The app uses these credentials to ask Ironclad for access.
- Access Granted: Ironclad verifies the credentials and grants the app a token to access to the data it needs on your user's behalf to enable the functionality.
This way, the app can securely access and use the necessary information without involving individual user accounts. It's like a business having a key to its supplier's warehouse to get materials directly, without any employees needing to be involved.
How would OAuth 2.0 impact admin and user experience?
- This does not impact existing Ironclad integrations in any way (Salesforce/Coupa/OneTrust/Slack/etc). It is only relevant for integrations that are powered by the CLM API (e.g. custom development and/or integrations built by Ironclad Ecosystem partners) that are built using OAuth 2.0.
- Existing legacy access token based integrations will continue to function normally at this time but OAuth 2.0 will be the only way to authenticate API requests in the near future.
- This is more of an "under the hood" improvement to use more secure API protocols. Developers will notice the most significant impact while using this feature, since an integration built with OAuth 2.0 is a little bit different than one built with our existing legacy access tokens.
End User Impact (for the Authorization Code Grant):
- The biggest change end users would see when using the Authorization Code grant is that they will get prompted to put in their Ironclad username/password and consent to data access as part of integration setup flows.
- You can see our OAuth 2.0 Authorization Code grant user experience in action when you log into the Ironclad Academy! Now you'll be able to use the same authorizatoin experience in your own integrations.
- There will also be a "My Integrations" page in personal settings so users can see the list of all the integrations connected to their personal account. Users can also revoke access here.
Admin User Impact:
- The biggest change for admins is that every API action is now tied to a specific user (e.g. not just "Ironclad's API token did X action, but "Jane Doe launched a workflow via API" and "John Smith commented on a workflow via API"). So everyone interacting with Ironclad through an integration should have an appropriate-level license in the Ironclad instance. Overal, using OAuth 2.0 will be a big improvement for access control, security, and audit trails!