OAuth

OAuth (Open Authorization) is an open standard protocol that allows third-party applications to access a user's data on another service without requiring the user to hand over their password. Instead of sharing credentials directly, the user authenticates with the original service (such as Google or Stripe) and grants the requesting application a limited access token. That token specifies exactly what the application can do — read a specific spreadsheet, write to a particular folder, process payments — and the user can revoke it at any time. OAuth 2.0 is the current version used by virtually all major web services, and it underpins the "Sign in with Google" and "Connect your account" flows that are now standard across the web.

Without OAuth, connecting two services would require sharing your login credentials with the third-party application — a serious security risk that gives that application full, unrestricted access to your account. OAuth solves this by creating a controlled delegation model. The third-party application receives only the specific permissions it needs, for only as long as you allow it. If the application is compromised, attackers get a limited token rather than your password. For digital publishers who rely on multiple tools — analytics platforms, email marketing services, payment processors, spreadsheet integrations — OAuth is the mechanism that makes those connections safe and manageable without creating a web of shared passwords.

FlipLink uses OAuth-based authorization when connecting to third-party services through the [automation and integrations](/features/automation-and-integrations) feature. When you set up the [Google Sheets integration](/integrations/google-sheets), for example, you are redirected to Google's consent screen where you authorize FlipLink to write lead data to a specific spreadsheet. FlipLink receives a scoped access token — it can write to that spreadsheet but cannot read your email, access your Drive files, or perform any action outside the granted permission. The [Stripe integration](/integrations/stripe) works similarly: you authorize FlipLink to process payments on your behalf through Stripe's OAuth flow, and FlipLink never stores or sees your Stripe password. All tokens are stored securely and can be revoked from either the FlipLink dashboard or the third-party service's settings.

OAuth 2.0 defines several grant types, each suited to a different integration scenario: - **Authorization Code Grant**: The most common flow for server-side applications. The user is redirected to the authorization server (e.g., Google), grants permission, and receives an authorization code that the application exchanges for an access token. This is the flow FlipLink uses for Google Sheets and Stripe integrations. - **Client Credentials Grant**: Used for server-to-server communication where no user interaction is needed. The application authenticates directly with its own credentials. - **Refresh Tokens**: Access tokens are short-lived by design (typically 1 hour). A refresh token allows the application to request a new access token without requiring the user to re-authorize. This is why your FlipLink integrations continue working without you needing to reconnect every day. Each token carries a defined scope — a set of permissions that limits what the application can do. A token scoped to "spreadsheets.write" cannot read email or access files outside the authorized spreadsheet. This principle of least privilege is central to OAuth's security model.

OAuth is secure by design, but its safety depends on proper implementation by all parties involved: - **Token storage**: Access tokens and refresh tokens must be stored securely on the server side, never exposed in client-side code or URLs. FlipLink stores all integration tokens encrypted on its servers. - **Scope limitation**: Applications should request only the minimum permissions needed. FlipLink requests write access to a specific spreadsheet, not broad access to your entire Google account. - **Token revocation**: Users should periodically review which applications have access to their accounts. Both Google and Stripe provide dashboards where you can see and revoke authorized applications. - **HTTPS requirement**: All OAuth flows must occur over HTTPS to prevent token interception during the authorization process. FlipLink enforces HTTPS for all API communication and integration callbacks. - **Phishing risk**: Attackers sometimes create fake authorization screens that mimic legitimate services. Always verify you are on the actual service's domain (accounts.google.com, not goog1e-auth.com) before granting permissions.

**What happens if I revoke an OAuth token?** The integration stops working immediately. For example, if you revoke FlipLink's access to your Google Sheets from your Google account settings, new leads will no longer sync to the spreadsheet. You can reconnect at any time by re-authorizing through the FlipLink dashboard. **Does FlipLink store my Google or Stripe password?** No. OAuth is specifically designed to avoid password sharing. FlipLink receives only an access token with limited permissions. Your passwords remain exclusively with Google and Stripe. **Can I limit what FlipLink can access in my Google account?** Yes. During the OAuth authorization flow, the consent screen shows exactly what permissions FlipLink is requesting. FlipLink requests only the minimum scope needed — typically write access to a single spreadsheet. It cannot access your email, calendar, or other Google services.