OAuth or Open Authorisation is an authorisation standard that allows applications to access resources hosted by other web apps on behalf of a user. For example, using OAuth, you can permit CricBuzz to access your Facebook profile without sharing your password. Your Facebook password will remain safe if CricBuzz faces a security breach.
Razorpay OAuth is a token-based authentication method where the third party obtains an access token with your consent without you having to compromise your API key secret. OAuth gives the control in your hands to decide which application can access what level of resources within your Razorpay account.
An online accounting software company, Acme Corp, wants to provide accounting services to a Razorpay merchant, ABC.
Acme Corp. should be registered as a third-party application with Razorpay to create credentials (
secret) that authenticates the application on Razorpay. When ABC wants to use the Acme Corp application, it should:
- Sign in with Razorpay on the Acme Corp application.
- Provide approvals that allow the application to access protected resources.
ABC can start using the application only after it completes the above process.
- Sign up with Razorpay as a Platform Partner by reaching out to our . You require this to register your application on the Razorpay Dashboard.
- A front-end interface for your app with a button redirecting the user to the Razorpay OAuth page.
- A redirect URL pointing to your application. Razorpay will redirect users to this URL.
The following diagram explains the OAuth flow:
Given below is the overall flow:
- The sub-merchant logs in to the application.
- The sub-merchant clicks Connect with Razorpay and is shown the authorisation page. The sub-merchant clicks Authorize to proceed.
- The application redirects to the Razorpay authorisation URL. This URL requests the sub-merchant's approval for granting access to the requested resource on Razorpay.
- The user is shown the approval page where they can accept or reject the grant of this access.
- After the user approves or rejects the request, Razorpay redirects to the
- If approved, an
authorization_code is included as a query parameter.
- If denied, the error reason is sent in the query parameter.
- On approval, the application requests an
access_token in exchange for the
- The application can use the
access_token to access Razorpay APIs on behalf of the sub-merchant.