code_challenge
and code_verifier
parameters. Providers such as Google, Twitter, GitLab, Spotify, Zoom, Asana or Dropbox are all PKCE-ready. If you find that your provider does not yet support PKCE, you can often use other forms of authorization such as personal access tokens (usable with Raycast password preferences), or open-source PKCE proxies that "adapt" an OAuth flow to be PKCE-compatible (you would need to operate your own backend service in this case, so this is only recommended for very advanced use cases.)OAuth.PKCEClient
.OAuth.RedirectMethod
docs for each method to get concrete examples for supported redirect URI.) If you can choose, use OAuth.RedirectMethod.Web
and enter https://raycast.com/redirect?packageName=Extension
(whether you have to add the ?packageName=Extension
depends on the provider).AuthorizationRequest
contains parameters such as the code challenge, verifier, state and redirect URI as standard OAuth authorization request. You can also customize the authorization URL through OAuth.AuthorizationOptions
if you need to.authorize
with the request from the previous step. This call shows the Raycast OAuth overlay and provides the user with an option to open the consent page in the web browser. The authorize promise is resolved after the redirect back to Raycast and into the extension:node-fetch
:TokenSet
contains an access token and typically also a refresh token, expires value, and the current scope. Since this data is returned by the provider's token endpoint as standard OAuth JSON response, you can directly store the response (OAuth.TokenResponse
) or alternatively use OAuth.TokenSetOptions
:TokenSet
also enables you to check whether the user is logged in before starting the authorization flow:offline.access
or it only returns an access token.) A basic refresh flow could look like this:isExpired()
on the TokenSet
). If it is expired, the token is refreshed and updated in the token set. Example using node-fetch
:string
string
string
string
accessToken
, and typically you also set refreshToken
and isExpired
.isExpired()
method, the property expiresIn
must be configured.https://raycast.com/redirect
or https://raycast.com/redirect?packageName=Extension
(For example, Twitter would accept the former, while Spotify requires the query parameter.)raycast://oauth?package_name=Extension
com.raycast:/oauth?package_name=Extension
(Note the single slash – Google, for example, would require this flavor for an OAuth app where the Bundle ID is com.raycast
)string
string
string
Record<string, string>
string
code_challenge
value.string
code_verifier
value.string
state
value.string
redirect_uri
value.string
code_challenge
value.string
code_verifier
value.string
state
value.string
redirect_uri
value.() => string
string
string
string
string
string
number
string
() => boolean
expiresIn
parameter to be set.string
string
string
number
string
string
access_token
value returned by an OAuth token request.string
refresh_token
value returned by an OAuth token request.string
id_token
value returned by an identity request (e.g. /me, Open ID Connect).number
expires_in
value (in seconds) returned by an OAuth token request.string
scope
value returned by an OAuth token request.