Authorize a connector using the Vault API

Instead of redirecting directly to the Hosted Vault, you can use the Vault API to build custom solutions and integrate better with your own application. When using the Vault API to build your own implementation, there are multiple ways of allowing your customers to authorize connections:

  • Use React Vault
  • Redirect to Hosted Vault
  • Completely build into your own app

Before we go over the different solutions it’s important to know that it’s required to obtain a Vault Session. This session is needed to identify the consumer that wants to connect to one or more services.

Option 1: Vault JS

Inside your application you can use Vault JS to quickly provide an embedded experience for your customers. With a simple NPM install, you can have a component that will handle every step of connecting your users to the desired service.

We also have specific React and Vue packages to make it even easier to integrate Vault into your application.

React Vault
React Vault

Open Apideck Vault

import { ApideckVault } from '@apideck/vault-js'{
  unifiedApi: 'accounting',
  serviceId: 'quickbooks'

You can find the

on the Connection object returned from the Get Connections call.

Option 2: Redirecting to the Hosted Vault connection page

When you want your customer to authorize a specific connection, you can add a call-to-action in your application that redirects to a connection page of Hosted Vault.

The URL to redirect needs to be built up like this:<unified_api>/<service_id>?jwt=<token>

You can find the

on the Connection object returned from the Get Connections call. The
is the Vault Session token that gets returned after creating a session.

Session settings

When creating a Vault Session you can provide a few settings to improve the customer experience.

Using the

setting, you can tell Hosted Vault to automatically redirect back to your application when the connection has been updated and its state has become

You can combine this by setting

to ensure the navigation link that points to the “integrations overview" is hidden from in the UI of Hosted Vault.

Isolation Mode
Isolation Mode

When creating your Vault Session it’s important to ensure you have provided a

, which will be used to redirect.

fetch('', {
  method: 'POST',
  headers: {
	  Authorization: `Bearer ${token}`,
	  'X-APIDECK-CONSUMER-ID': 'some-user-id',
	  'X-APIDECK-APP-ID': 'my-app-id'
  body: {
     redirect_uri: '', // <==== HERE
     settings: {
       auto_redirect: true,
	     isolation_mode: true

For all the session options you can provide, go here: sessionsCreate

Option 3: Completely built into your application

If you want to authorize a connection without leaving your application, you could use the

that is being returned from the Get Connections call directly.

Example Get connection response:

  "status_code": 200,
  "status": "OK",
  "data": {
    "id": "crm+salesforce",
    "service_id": "salesforce",
    "name": "Salesforce",
    "tag_line": "CRM software solutions and enterprise cloud computing from Salesforce, the leader in customer relationship management (CRM) and PaaS. Free 30 day trial.",
    "unified_api": "crm",
    "state": "authorized",
    "auth_type": "oauth2",
    "oauth_grant_type": "authorization_code",
    "status": "live",
    "enabled": true,
    "website": "",
    "icon": "",
    "logo": "",
    "authorize_url": "<application-id>?state=<state>",
    "revoke_url": "<application-id>?state=<state>",

If you do so, you have to append a

param to the
, be sure to URL encode the

Be aware: By doing this, you can redirect back directly to your application, but you’ll need to handle any potential errors yourself. It could also be that a connection still needs some additional configuration from your customer. Hosted Vault can handle this for you, but if you redirect to your own application, you will need to build it yourself.

Additional configuration
Additional configuration

For this reason, we usually recommend redirecting back to Hosted Vault. If you do, ensure you append your vault token. The complete URL you will have to use should look something like this: