User Auth is fully managed by Rollout for third-party apps. However, you'll need to tell Rollout how auth works in your app.

The Purpose of User Auth#

When a user tries to connect your app to another, they will have to:

1. Authenticate the account in your app actually belongs to that user
2. Authorize the transfer of data between your app and a third-party app

Auth Types Supported#

Today, Rollout supports OAuth 2.0 and API Token. If your endpoints are secured using another form of auth, please reach out to [email protected].

When you need User Auth#

You'll need to configure User Auth if you need Rollout to make requests to API endpoints that are secured by user credentials (for example, if an Oauth token is requred in the Authorization header).

User Experience#

If you've configured OAuth, your users will see your OAuth pop-up window the first time they try to set up an Automation using one of your triggers or actions. Users will only need to authorize Rollout when creating their first Automation. Rollout will manage refreshing their credentials thereafter.

Avoiding the OAuth Pop-up#

If you're able to modify your API endpoints or expose new endpoints for use by Rollout only, you can avoid briging up your OAuth pop-up window the first time a user creates an Automation. To do so, you'll need to:

1. Implement a method for verifying that a request came from Rollout. You can do so by storing a secret as a Rollout environment variable and then verifying requests to insure that the sender has acess to the secret (e.g. through HMAC verification)
2. If you were using the token from the Authorization header to deduce the user, you'll now have to send the userId (available as context.userId) as a parameter when creating Triggers and Actions.