We use cookies to enhance your experience and measure how the site performs. Choose "Essential Only" to disable analytics. Read our Privacy Policy.

    Odeus Docs

    Bring Your Own OAuth Client

    Set up your own OAuth application for integrations to control scopes, enable additional integrations, or replace Odeus's default OAuth client with your custom configuration.

    Bring Your Own OAuth Client

    Set up your own OAuth application for integrations to control scopes, enable additional integrations, or replace Odeus's default OAuth client with your custom configuration.

    Custom OAuth clients apply workspace-wide for the specific integration. All new connections will use your OAuth application once configured.

    How Custom OAuth Works

    When you configure a custom OAuth client, Odeus routes all authentication flows through your OAuth application instead of the default Odeus client. This means:

    • Your branding (custom name and logo) appears in consent screens

    • Your tenant policies control user access and admin consent requirements

    • Your rate limits apply to API calls made by your users

      Register a new OAuth application in your provider's developer portal (Google Cloud Console, Microsoft Azure, etc.).

      Required Configuration:

      • Copy the exact redirect URL from Odeus's integration settings
      • Select all required scopes shown in Odeus for that integration
      • Configure any tenant-specific settings (admin consent, allowlisting)

      Note down the following from your OAuth app:

      • Client ID (always required)
      • Client secret (required for most integrations)
      • Tenant ID (optional, shown for Microsoft integrations only)

      Navigate to Workspace settings → Integrations and scroll to the Bring your own OAuth Client section. You will see a list of OAuth integrations, each showing its current client status.

      Byo Oauth 1 Pn

      Depending on the integration's current state, do one of the following:

      • If the integration has a Odeus client available, open the dropdown and select Your client to open the configuration dialog.

      • If no Odeus client exists and no custom client is configured, click the Configure button.

      • If no Odeus client exists and your custom client is already configured, you will see Your client displayed alongside an Edit button. Click Edit to modify your configuration.

        <img src="https://mintcdn.com/odeus-34/JSBOyLaI-2nGZohA/images/byo-oauth-2.png?fit=max&auto=format&n=JSBOyLaI-2nGZohA&q=85&s=419adc9c6430510074203b6d7f9e272d" alt="Byo Oauth 2 Pn" width="1166" height="878" data-path="images/byo-oauth-2.png" />

      In the configuration dialog, copy the Redirect URL into your OAuth app and review the Scopes section. Make sure all listed scopes are enabled in your OAuth app — missing scopes will cause an insufficient scopes error. You can copy all scopes at once using the copy button.

      Enter your Client ID and Client secret (and Tenant ID if prompted for Microsoft integrations), then click Save.

      New connections will immediately use your OAuth client and will only work if the credentials are valid. Existing connections continue working until their access tokens expire.

      Have a user connect their account to verify:

      • Consent screen shows your client
      • Required scopes are granted
      • Data access works as expected through actions

    Integration Settings Interface

    The configuration dialog contains the following sections:

    A read-only field displaying the redirect URL your OAuth app must use. Click the copy button to copy it exactly. The URL format is:

```
https://app.odeus.ai/api/integrations/{integration-id}/callback
```

> The redirect URL must match exactly. Any mismatch will cause `redirect_uri_mismatch` errors. The exact domain depends on your Odeus deployment — always copy the redirect URL from the dialog rather than constructing it manually.



Displays the OAuth scopes required for the integration to function correctly. For example, Jira requires scopes like `read:jira-work`, `write:jira-work`, `read:jira-user`, `offline_access`, and `manage:jira-configuration`.

* **Copy**: Copy all scopes to your clipboard for pasting into your OAuth app configuration.
* **Edit**: Switch to edit mode to customize scopes in a text area (advanced use cases only).
* **Reset to default scopes**: Restore the original scope list if you have modified it.

> All listed scopes must be enabled in your OAuth app. Missing scopes will cause `insufficient_scope` errors when users try to connect.



Enter your OAuth application credentials:

* **Client ID** (required): Your app's public identifier
* **Client secret** (required for most integrations): Your app's private key, stored encrypted
* **Tenant ID** (Microsoft integrations only, optional): Your Azure AD tenant identifier

    Switching Back to Odeus's Client

    If you want to stop using your custom client and revert to Odeus's default:

    1. Open the dropdown next to the integration and select Odeus client.
    2. Confirm the switch in the dialog.

    New connections will use Odeus's client going forward. Existing connections made with your custom client continue working until their access tokens expire.

    Common Configuration Errors

    **Cause**: Redirect URL doesn't match exactly between Odeus and your OAuth app

**Solution**:

* Copy the redirect URL from Odeus exactly
* Check for trailing slashes or protocol mismatches
* Verify you're configuring the correct environment



**Cause**: Client ID or Client secret is incorrect

**Solution**:

* Double-check credentials from your OAuth app
* Ensure no extra spaces or characters
* Verify the client is enabled in your provider's console



**Cause**: Admin consent required but not granted

**Solution**:

* Grant admin consent in your tenant settings
* Enable user consent if appropriate for your organization
* Check tenant allowlisting requirements



**Cause**: Missing required scopes in your OAuth app

**Solution**:

* Add all scopes shown in Odeus to your OAuth app
* Users may need to reconnect after adding scopes
* Verify scope names match exactly (case-sensitive)

    Integrations Requiring Your Own OAuth Client

    Some of our integrations can only be used when providing your own OAuth client. Details on how to connect them with Odeus are described in this section.

    ServiceNow

    To enable this integration for your workspace, your ServiceNow system administrator must create an OAuth client, in the form of an application registry in ServiceNow, following this documentation.


    Required authentication fields

    • Provide ServiceNow Subdomain

    When a user wants to create a connection with ServiceNow, they have to provide the subdomain of your ServiceNow instance.

    ServiceNow Integration Requirements

      Only Cloud-hosted accounts are currently supported.



  A paid ServiceNow account is required to create an application registry. View ServiceNow's plans [here](https://www.servicenow.com/lpgp/pricing.html?campid=107977\&cid=p:all:dg:b:prsp:exa:Google_CoreBrand_Top_Restructure:latam:mx\&ds_c=GOOG_LATAM_MX_ES_DEMANDGEN_ALBU_PRSP_Brand_EXA_Top-RES\&cmcid=71700000102193357\&ds_ag=Servicenow+Pricing_EXA_EN\&cmpid=58700008155106586\&ds_kids=p74103339564).



  Yes. To connect by OAuth, your systems administrator should set up the right configuration within your instance to connect any user using an OAuth connection. E.g. all users need the oauth\_user role to be able to connect.  Learn more about ServiceNow's [groups and permissions](https://www.servicenow.com/docs/bundle/zurich-platform-security/page/integrate/identity/task/view-permissions-for-a-group.html)



  Yes. ServiceNow implements rate limiting to prevent excessive API usage. System administrators can configure rules that restrict the number of inbound REST API requests processed per hour. Learn more about ServiceNow's [usage limits](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/integrate/inbound-rest/concept/inbound-REST-API-rate-limiting.html).

    Snowflake

    Configuring your own OAuth client for Snowflake gives you control over authentication policies, token validity periods, and IP allowlisting within your Snowflake environment.

    Required Information:

    • OAuth Redirect URL: Copy this from Odeus's Snowflake integration settings page
    • Client ID: Generated by Snowflake after creating the security integration
    • Client Secret: Generated by Snowflake after creating the security integration
    • Authorization URL: Your Snowflake account's authorization endpoint

    The Redirect URL from Odeus must be provided in Snowflake, while the Client ID, Client Secret, and Authorization URL from Snowflake must be entered into Odeus's integration settings.

    If your Snowflake account has network policies or IP allowlisting enabled, you may need to whitelist Odeus's static IP address to allow connections. See Static IP Configuration for details.

    Setup Guide

      In your Odeus workspace, create your new Snowflake integration, and set up a custom OAuth Client.

  
    1. Navigate to Integrations in Odeus
    2. Click "Add Integration" and select "Start from Scratch"
    3. Fill in your preferred name and description for your new Snowflake integration
    4. Click "Create"
    5. Authentication Type: Select "OAuth 2.0" from the dropdown
    6. Authentication fields: Leave blank
    7. OAuth Configuration: Save your **OAuth Redirect URL**
  



  In Snowflake, select your workspace, and create a new security integration.

  
    1. Create a new `.sql` file, and paste the following query:

    ```sql theme={null}
    CREATE SECURITY INTEGRATION &lt;integration_name&gt;
      TYPE = OAUTH
      ENABLED = TRUE
      OAUTH_CLIENT = CUSTOM
      OAUTH_CLIENT_TYPE = CONFIDENTIAL
      OAUTH_REDIRECT_URI = '&lt;your_redirect_uri&gt;'
      OAUTH_ISSUE_REFRESH_TOKENS = TRUE
      OAUTH_REFRESH_TOKEN_VALIDITY = 86400;
    ```

    2. Replace `&lt;integration_name&gt;` with a descriptive name and `&lt;your_redirect_uri&gt;` with the **OAuth Redirect URL** from Step 1.
    3. Run the query to create your new security integration in Snowflake.
       **Note:** Adjust your `OAUTH_REFRESH_TOKEN_VALIDITY` value based on your security policies.
  



  
    1. Within the same workspace, run the following query:

    ```sql theme={null}
    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('&lt;integration_name&gt;');
    ```

    2. Replace `&lt;integration_name&gt;` with the name you gave your security integration in the previous step.
    3. Save your **Client ID** and **Client Secret**. Store these credentials securely as they provide access to your Snowflake account.
  



  
    1. Click on your account name in the bottom left corner of your Snowflake application
    2. Under the Account Section, click on "View Account Details"
    3. Copy your **Account URL**
  



  
    1. Add your **Client ID** and **Client Secret** from Step 3 in the respective input fields of your new Odeus integration
    2. In the following sections:

       * Authorization URL
       * Access Token URL
       * Refresh Token URL

       Replace only `https://example.com` with your **Snowflake Account URL** from Step 4.

    Example:

    ```
    https://example.com/oauth/authorize
    ```

    Becomes:

    ```
    https://&lt;your-snowflake-account-url&gt;/oauth/authorize
    ```

    3. Click **Save**
  



  
    Click "Add Connection" in your Snowflake integration.

    * You should be directed to the Snowflake Authorization screen
    * Log into your Snowflake account

    You have now successfully set up your own OAuth Snowflake integration!