GITBOOK-703: No subject

Author: dawnho

docs/.gitbook/assets/Screenshot 2025-11-22 at 6.25.14 PM (1).png

@@ -6,21 +6,25 @@ description: >-
 
 # Implementing Authentication
 
-A Seam integration starts with a user linking their account to your platform. We prefer [OAuth2](https://oauth.net/2/) because it provides a standardized, secure way to authenticate users and issue long-lived tokens while ensuring Seam never needs direct access to a user’s private credentials. A clean OAuth2 implementation is the foundation for a stable, reliable integration.
+A Seam integration starts when a user signs in to their device provider and gives your platform permission to access their account. The easiest way to support this is through [OAuth2](https://oauth.net/2/), because it gives users a familiar login screen and lets your API issue secure, long-lasting tokens without exposing passwords.
 
 ***
 
 ## OAuth2 with Access + Refresh Tokens
 
 Your API should use the standard [OAuth2 Authorization Code flow](https://oauth.net/2/).
 
-#### Authorization Request Example
+### 1. Authorization request launches the flow
+
+As the first step, Seam makes a GET request to your authorization URL. This should show the user a login screen from your service.
+
+#### Example authorization request
 
 ```http
 GET https://api.provider.com/oauth/authorize?
   response_type=code&
   client_id=seam_prod_123&
-  redirect_uri=https://connect.getseam.com/oauth/callback&
+  redirect_uri=https://example.com/oauth_redirect&
   scope=locks.read%20locks.write&
   prompt=login&
   state=xyz123
@@ -34,7 +38,63 @@ GET https://api.provider.com/oauth/authorize?
 
 ***
 
-#### OAuth Callback Example
+### 2. User login + consent screen
+
+After Seam sends the authorization request in [step 1](implementing-authentication.md#id-1.-authorization-request-launches-the-flow), your service should display a login and consent screen. The user signs in, reviews what Seam will be able to access, and decides whether to continue.
+
+
+
+{% columns %}
+{% column %}
+<figure><img src="../../.gitbook/assets/google sign in copy.png" alt="" width="375"><figcaption><p>Example login screen from Google</p></figcaption></figure>
+
+
+{% endcolumn %}
+
+{% column %}
+<figure><img src="../../.gitbook/assets/image (48).png" alt="" width="375"><figcaption><p>Example consent screen from Google</p></figcaption></figure>
+
+
+{% endcolumn %}
+{% endcolumns %}
+
+Your UI should:
+
+* ask the user to log in
+* clearly show what Seam will access
+* allow them to approve or deny
+
+This step should feel identical to signing into your own product.
+
+***
+
+### 3. Redirect back to Seam with a code
+
+After approval, redirect the browser back to the provided redirect URL:
+
+```
+https://example.com/oauth_redirect
+```
+
+Your service must append the authorization code (`code`) and `state`:
+
+```http
+https://example.com/oauth_redirect?
+  code=abc123_code_from_provider&
+  state=xyz123
+```
+
+**Key expectations:**
+
+* the redirect URL must exactly match one that Seam registered with your platform.
+* `code` is the temporary value Seam will exchange for tokens.
+* `state` must match what Seam originally sent in [Step 1](implementing-authentication.md#id-1.-authorization-request-launches-the-flow).
+
+***
+
+### 4. Exchange the code for tokens
+
+Seam will exchange the authorization code for tokens:
 
 ```http
 POST https://api.provider.com/oauth/token
@@ -47,9 +107,7 @@ client_id=seam_prod_123&
 client_secret=shhh_very_secret
 ```
 
-#### Token Response Example
-
-Your API should return both `access_token`, `refresh_token`, and a stable user or account ID:
+**Expected response:**
 
 ```json
 {
@@ -61,17 +119,17 @@ Your API should return both `access_token`, `refresh_token`, and a stable user o
 }
 ```
 
-**Requirements:**
+**Best practices:**
 
 * `access_token` expires quickly (`1h` is typical)
 * `refresh_token` lasts long and is stable
 * `user_id` must be stable across all future authentications
 
 ***
 
-### Use of Bearer Tokens
+### 5. Calling your API with the access token
 
-Seam can call your APIs using the standard `Authorization` header:
+Seam can call your APIs using the access token. A common way is to do it using the the standard `Authorization` header:
 
 ```http
 GET https://api.provider.com/v1/locks/123
@@ -80,23 +138,20 @@ Authorization: Bearer ya29.a0ARt76ExampleAccess
 
 ***
 
-### Token Refresh
+### 6. Refreshing tokens over time
 
-Seam refreshes tokens frequently and concurrently. Refreshing must not invalidate other live tokens.
+Seam refreshes tokens frequently, sometimes from multiple workflows running at once.
 
-#### Refresh Request Example
+<pre class="language-http"><code class="lang-http"><strong>POST https://api.provider.com/oauth/token
+</strong>Content-Type: application/x-www-form-urlencoded
 
-```http
-POST https://api.provider.com/oauth/token
-Content-Type: application/x-www-form-urlencoded
-
-grant_type=refresh_token&
-refresh_token=1//0exampleRefreshToken&
-client_id=seam_prod_123&
+grant_type=refresh_token&#x26;
+refresh_token=1//0exampleRefreshToken&#x26;
+client_id=seam_prod_123&#x26;
 client_secret=shhh_very_secret
-```
+</code></pre>
 
-#### Refresh Response Example
+**Expected response:**
 
 ```json
 {
@@ -108,57 +163,41 @@ client_secret=shhh_very_secret
 }
 ```
 
-**Critical behavior:**
-
-* You may issue a _new_ refresh token, but you must keep the previous one valid until it is used or explicitly expires.
-* You should _not_ revoke existing access tokens when a refresh occurs.
+#### Key requirements
 
-This guarantees reliability during:
-
-* Parallel background jobs
-* Mobile app and cloud usage at the same time
-* Long-running lock provisioning tasks
+* issue a new access token
+* keep existing unexpired access tokens valid
+* keep the refresh token usable until Seam rotates it
 
 ***
 
+## Additional integration requirements
+
 ### Stable User Identifier
 
-Every OAuth interaction must return a stable account-level ID. It should:
+Seam needs a permanent, account-level ID in every OAuth response so it can reconnect accounts and avoid duplicates. This ID must:
 
-* Never change for a given user
-* Not depend on email address (emails change)
-* Not depend on tokens
-* Not be session-based
+* remain the same for the lifetime of the account
+* not depend on email addresses
+* not change when tokens or sessions rotate
 
-#### Example
+**Example access token response:**
 
-```
+```json
 {
-  "user_id": "provider_user_491829"
+  "user_id": "provider_user_491829", // stable account identifier
+  "access_token": "ya29.a0ARt76ExampleAccess",
+  "token_type": "Bearer",
+  "expires_in": 3600,
+  "refresh_token": "1//0exampleRefreshToken"
 }
 ```
 
-Seam uses this to:
-
-* Deduplicate reconnections
-* Reconnect an account after token expiry
-* Maintain mapping between providers and Seam workspaces
-
-#### Example Scenario: Reconnect Flow
-
-| Event                 | Expected Provider Behavior                        |
-| --------------------- | ------------------------------------------------- |
-| User connects account | Returns `user_id = provider_user_491829`          |
-| User disconnects      | No change                                         |
-| User reconnects later | Returns the same `user_id = provider_user_491829` |
-
-If it changes, Seam must treat it as a new account — which breaks reconnect flows.
-
 ***
 
 ### Multiple Redirect URLs
 
-Your OAuth app should allow Seam to register multiple redirect URIs.
+Seam generally likes to use separate redirect URIs for production, staging, and local development. It's preferable if your provider allows registering multiple URLs.
 
 **Typical examples:**
 
@@ -168,51 +207,19 @@ https://staging.connect.getseam.com/oauth/callback
 http://localhost:3020/oauth/callback
 ```
 
-#### Registration Object Example
-
-If your API exposes an endpoint for app registration:
-
-```json
-{
-  "client_id": "seam_prod_123",
-  "redirect_uris": [
-    "https://connect.getseam.com/oauth/callback",
-    "https://staging.connect.getseam.com/oauth/callback",
-    "http://localhost:3020/oauth/callback"
-  ],
-  "scopes": ["locks.read", "locks.write"]
-}
-```
-
-If you allow redirect URLs via dashboard, ensure multiple can be entered without replacing each other.
-
 ***
 
 ### Token Stability Requirements
 
-Seam often runs concurrent jobs using different access tokens.
-
-#### Correct Behavior
-
-* Token refresh returns a new access token
-* Existing unexpired access tokens remain valid
-* Refresh token remains usable until explicitly rotated
+Seam may refresh tokens from multiple workflows at the same time, so refreshing can’t interrupt active requests.
 
-#### Incorrect Behavior (Do Not Do)
-
-* Refreshing invalidates all previous access tokens
-* Refreshing invalidates the previous refresh token immediately
-* Refreshing requires user reauthentication
-* API responds with 401 after every refresh
-
-#### Why It Matters
-
-Seam must support:
+**Requirements:**
 
-* Lock provisioning pipelines
-* High-frequency device polling during onboarding
-* Parallel credential updates across many devices
+* issue a new access token during refresh
+* let previously issued, unexpired access tokens keep working
+* keep the refresh token valid until Seam rotates it
+* do not force the user to sign in again or return 401s after refresh
 
-Breaking token stability results in lockouts, expired access grants, and repeated user re-auth flows.
+This protects long-running provisioning jobs, onboarding polling, and parallel credential updates from unexpected failures.
 
 ***