Skip to main content

OAuth 2.0 Authentication

When it comes to providing secure and delegated access to your APIs, OAuth 2.0 is the industry standard protocol. OAuth enables users to authorize third-party applications, like ChatGPT plugins, without sharing their credentials. Here's a primer on how to implement OAuth 2.0 authentication for your ChatGPT plugin.

OAuth Flow with ChatGPT Plugins

The OAuth 2.0 authentication flow for ChatGPT plugins can be described in the following steps:

  1. Setting up your Plugin: Choose "Develop your own plugin" in the ChatGPT plugin store, and provide the domain where your plugin is hosted (it cannot be localhost).

  2. Setting up OAuth: In your ai-plugin.json, set auth.type to oauth.

  3. Entering Client ID and Secret: You'll be asked to input your OAuth client ID and client secret. The client ID is user-facing, while the client secret is securely stored in an encrypted form.

  4. Adding Verification Token: After providing your client ID and secret, you'll receive a verification token. Include this token in your ai-plugin.json file under the auth section.

  5. User Authentication: When a user installs your plugin, they'll encounter a "Sign in with" button. Clicking this button redirects them to the authentication page of your service, where they'll authorize the plugin.

  6. Token Exchange: After successful user authentication, ChatGPT will request an access token (and optionally, a refresh token) from your service. The service should return a response similar to { "access_token": "example_token", "token_type": "bearer", "refresh_token": "example_token", "expires_in": 59, }.

  7. Making Requests: For each request to your plugin, the user's access token is included in the Authorization header.

Here's an example of what the OAuth configuration in your ai-plugin.json file might look like:

"auth": {
  "type": "oauth",
  "client_url": "https://example.com/authorize",
  "scope": "",
  "authorization_url": "https://example.com/auth/",
  "authorization_content_type": "application/json",
  "verification_tokens": {
    "openai": "Replace_this_string_with_the_verification_token_generated_in_the_ChatGPT_UI"
  }
}

OAuth URL Structure

When setting up OAuth with ChatGPT, the user's browser is directed to a URL that follows this pattern: 

"[client_url]?response_type=code&client_id=[client_id]&scope=[scope]&redirect_uri=https%3A%2F%2Fchat.openai.com%2Faip%2F[plugin_id]%2Foauth%2Fcallback"

In this URL:

  • [client_url] is the URL of your OAuth client's authorization endpoint.
  • [client_id] is the client ID provided during the setup.
  • [scope] is the scope of the permissions requested by the plugin.
  • [plugin_id] is the unique identifier of your plugin.

Once the user has authorized your plugin, your service will redirect back to the redirect_uri provided, which will include an authorization code. ChatGPT completes the OAuth flow by exchanging this authorization code for an access token.

Implementing OAuth 2.0 for your ChatGPT plugin provides a secure way to delegate access to your service, offering both you and your users increased security and control.