Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt

Use this file to discover all available pages before exploring further.

Getting Started

The Developer Portal (portal.alterauth.com) is where OAuth providers are configured, security policies are set, and applications are managed.
1

Create Account

Sign up at portal.alterauth.com
2

Create Application

Each app has its own OAuth grants and API keys
3

Add OAuth Providers

Configure Google, Slack, GitHub, etc.
4

Copy the API Key

Get the API Key (alter_key_...) for the SDK

OAuth Provider Setup

Add OAuth Apps

For each provider you want to support:
  1. Go to OAuth ProvidersAdd Provider
  2. Enter credentials from the provider’s console:
    • Client ID
    • Client Secret
    • Redirect URI: Copy the Redirect URI shown on the provider setup page
  3. Select the scopes you need
  4. Save and activate

Provider Consoles

ProviderWhere to Get Credentials
Acuity Schedulingdevelopers.acuityscheduling.com
Adobedeveloper.adobe.com/console
Aircalldashboard.aircall.io/integrations
Airtableairtable.com/create/oauth
Apollo.iodeveloper.apollo.io
Asanaapp.asana.com/0/my-apps
Atlassiandeveloper.atlassian.com/console/myapps
Attioapp.attio.com/settings/developers
Autodeskaps.autodesk.com/myapps
AWSconsole.aws.amazon.com/iam
Basecamplaunchpad.37signals.com/integrations
Bitbucketbitbucket.org/account/settings
Bitlyapp.bitly.com/settings/api
Boxapp.box.com/developers/console
Brexdeveloper.brex.com
Cal.comapp.cal.com/settings/developer/oauth-clients
Calendlydeveloper.calendly.com
Canvacanva.com/developers/integrations
ClickUpapp.clickup.com/settings/apps
Closeapp.close.com/settings/developer
Constant Contactapp.constantcontact.com
Contentfulapp.contentful.com
Deelapp.deel.com/developer-center
Dialpaddialpad.com/developer
DigitalOceancloud.digitalocean.com/account/api/applications
Discorddiscord.com/developers/applications
DocuSigndevelopers.docusign.com
Dropboxdropbox.com/developers/apps
eBaydeveloper.ebay.com/my/keys
Eventbriteeventbrite.com/platform/api-keys
Facebookdevelopers.facebook.com/apps
Figmafigma.com/developers/apps
GitHubgithub.com/settings/apps
Googleconsole.cloud.google.com
HubSpotdevelopers.hubspot.com
Instagramdevelopers.facebook.com/apps
Linearlinear.app/settings/api
LinkedInlinkedin.com/developers/apps
Mailchimpadmin.mailchimp.com/account/oauth2
Mercurydocs.mercury.com/…/oauth2
Microsoftentra.microsoft.com
Mirodevelopers.miro.com
monday.commonday.com/developers/apps
Notionnotion.so/my-integrations
Outreachdevelopers.outreach.io
PagerDutydeveloper.pagerduty.com
PayPaldeveloper.paypal.com/dashboard/applications
Pinterestdevelopers.pinterest.com/apps
Pipedrivedevelopers.pipedrive.com
QuickBooksdeveloper.intuit.com/app/developer/dashboard
Rampdocs.ramp.com
Redditreddit.com/prefs/apps
RingCentraldevelopers.ringcentral.com
Salesforcelogin.salesforce.com
Sentrysentry.io/settings/account/api/applications
Slackapi.slack.com/apps
Snapchatbusiness.snapchat.com
Spotifydeveloper.spotify.com/dashboard
Squaredeveloper.squareup.com/apps
Squarespacedevelopers.squarespace.com
Stripedashboard.stripe.com/settings/connect
TikTokdevelopers.tiktok.com
Todoistapp.todoist.com/…/app-management
Twitter (X)developer.x.com/en/portal/dashboard
Typeformadmin.typeform.com
Webexdeveloper.webex.com/my-apps
Webflowdevelopers.webflow.com
See each provider’s documentation page in the Providers section of the sidebar for detailed setup instructions.

Managed Secrets

Managed Secrets store API keys, service tokens, and other credentials for internal APIs — no OAuth flow or end-user action needed.
How is this different from OAuth? With OAuth grants, the grant_id comes from the end user completing an OAuth flow via Alter Connect. With Managed Secrets, the grant_id comes from this portal when a credential is stored. No end user is involved — the developer stores the secret, gets a grant_id, and uses it in application code.

When to Use Managed Secrets

  • Internal APIs that require an API key or service token
  • Partner APIs that provide static credentials
  • SaaS platforms with API key authentication
  • Any service where you already have the credentials

Setting Up a Managed Secret Provider

1

Go to Managed Secrets

Open the application and click Managed Secrets in the sidebar
2

Add a Provider

Click Add Provider and configure:
  • Provider Name: A descriptive name (e.g., “Loyalty API”, “Billing Service”)
  • Credential Type: How the secret should be injected into requests
Credential TypeHeader Format
Bearer TokenAuthorization: Bearer <token>
API KeyCustom header (e.g., X-API-Key: <key>)
Basic AuthAuthorization: Basic <base64>
3

Store a Secret

Click Store Secret on the provider, enter the credential value, and save. A grant_id (UUID) is returned for use with the SDK.
Secret values are write-only — once stored, you cannot view the raw value. You can only use it via vault.request() or replace it by storing a new value.

Using Managed Secrets

Use the same vault.request() method as OAuth grants: 
# Same method — just use the managed secret's grant_id
response = await vault.request(
    HttpMethod.GET,
    "https://api.internal.com/v1/loyalty/points",
    grant_id="MANAGED_SECRET_GRANT_ID",  # from Developer Portal
)

Managing Secrets

  • Rotate: Store a new secret value on the same provider — the grant_id stays the same
  • Revoke: Delete a stored secret when it’s no longer needed
  • Delete Provider: Remove the provider and all its stored secrets

Policies for Managed Secrets

Managed secrets support the same policy rules as OAuth providers. Go to Policies to configure time-based access or IP allowlists for managed secret providers.

Custom Schemas

Add structured data to any OAuth connection for enhanced functionality.

Use Cases

  • Sync Settings: Which data to sync, how often
  • User Preferences: Per-connection configuration
  • Metadata: Labels, tags, categories
  • Internal Mapping: Link to application database records

Creating a Schema

  1. Go to ApplicationCustom Schemas
  2. Click Create Schema
  3. Use the visual builder to add fields: 
    {
  "sync_preferences": {
    "calendar": {
      "enabled": true,
      "frequency": "hourly"
    },
    "email": {
      "enabled": false
    }
  },
  "department": "engineering",
  "cost_center": "CC-001"
}
  4. Set field types and validation:
    • Types: string, number, boolean, object, array
    • Validation: required, min/max, enum values
    • Defaults: Set default values
  5. Save and apply to connections

Using Schema Data

# Custom schema data is set during the OAuth connection flow
# via the Alter Connect session endpoint, then available
# in the Alter Vault dashboard for filtering and management.
#
# The SDK's vault.request() uses a grant_id to look up
# the right connection. Custom schema data enriches
# the grant metadata for your dashboard workflows.

Security Policies

Control how and when OAuth tokens can be accessed. Policies are enforced in real-time before tokens are returned from the API.
Policies can only be configured for OAuth providers that you’ve already set up in the OAuth Providers tab. Add a provider there first, then configure its policy.

Policy Rule Types

RuleDescriptionExample
Time-Based AccessRestrict to business hours or weekdaysMon-Fri, 9am-5pm
IP AllowlistOnly allow access from specific IPsOffice network 203.0.113.0/24

Creating Policies

1

Configure a Provider

Open the application, then go to OAuth Providers in the sidebar and add at least one provider (e.g., Google)
2

Open Policies

Go to Policies in the app sidebar. Only configured providers appear here.
3

Add Policy

Click Add Policy next to a provider and configure rules:
  • Time Restrictions: Check “Business hours only” (9am-5pm) or “Weekdays only” (Mon-Fri), and select a timezone
  • IP Allowlist: Add IPv4/IPv6 addresses or CIDR ranges
4

Save

Click Save Policy. Changes take effect immediately for new token retrievals.

Policy Examples

Business hours + IP allowlist — restrict to office network during work hours: 
{
  "time_restrictions": { "business_hours_only": true, "weekdays_only": true, "timezone": "America/New_York" },
  "ip_allowlist": ["203.0.113.0/24"]
}
Weekdays only — prevent token access on weekends: 
{
  "time_restrictions": { "weekdays_only": true }
}

Policy Evaluation

All configured rules are evaluated with AND logic — every rule must pass for token access to be granted.
  1. Time restrictions (is it within business hours / a weekday?)
  2. IP allowlist (is the client IP in the allowed list?)
Scope enforcement is handled separately via the OAuth provider configuration, not through policies. If any rule fails, access is denied with a specific reason. If no policy is configured for a provider, all token accesses are allowed (permissive default).

Fail-Closed Security

If the policy service is unavailable, the system denies all token access rather than bypassing policies. This ensures security even during outages.

API Keys

Create an API Key

  1. Go to ApplicationAPI Keys
  2. Click Create Key, name it (e.g., “Production Backend”), and choose an expiration
  3. Copy and save the key: alter_key_... (shown only once)

Security Best Practices

  • Backend Only: Never put API keys in frontend code
  • Session Tokens: Create temporary tokens for frontend
  • Set Expiration: Use 90-day or shorter expiration for production keys
  • Name Keys Descriptively: Use descriptive names to track what each key is for
  • Environment Variables: Never commit keys to code

Connection Management

View and manage all OAuth grants:

Connections Dashboard

  • Filter: By provider, user, date, or custom schema fields
  • Search: Find specific users or connections
  • Bulk Actions: Update or revoke multiple connections
  • Export: Download connection data as CSV

Connection Details

For each grant, view:
  • Provider and account info
  • Grant ID
  • Custom schema data
  • Token status and refresh history
  • Audit logs of all access

Revoke Access

  1. Find the grant
  2. Click Revoke
  3. Choose:
    • Soft Revoke: Mark inactive (can reactivate)
    • Hard Revoke: Delete completely

Organizations & Teams

Team Management

  1. Go to OrganizationTeam
  2. Invite members with roles:
    • Admin: Full access
    • Developer: Manage apps and connections
    • Viewer: Read-only access

Multiple Applications

Create separate apps for different environments:
EnvironmentPurposeAPI Key Type
DevelopmentLocal testingAuto-expires in 30 days
StagingQA testingStandard
ProductionLive usersIP-restricted

Audit Logs

View all activity for an application by opening the app and navigating to Audit Logs in the app sidebar.
  • Filter by event type, provider, user, actor, or date range
  • Search for specific connections, users, or AI agents
  • Click any entry for full details
  • Export as CSV for compliance reporting
See the Audit Logs guide for more details.

Monitoring

Dashboard Metrics

  • Active Connections: Total by provider
  • API Usage: Calls per day/month
  • Token Refreshes: Automatic refresh count
  • Error Rate: Failed requests percentage
  • Policy Violations: Blocked requests

Alerts

Set up notifications for:
  • High error rates
  • Policy violations
  • Approaching rate limits
  • Connection failures

Quick Reference

Backend Code

from alter_sdk import AlterVault, HttpMethod

vault = AlterVault(
    api_key="alter_key_...",
    caller="my-service",
)

# OAuth: grant_id from your DB (stored when user completed Alter Connect)
grant_id = db.get_grant(user_id="alice", provider="google")
response = await vault.request(
    HttpMethod.GET,
    "https://www.googleapis.com/calendar/v3/calendars/primary/events",
    grant_id=grant_id,
)

# Managed secret: grant_id from Developer Portal (stored in config/env)
response = await vault.request(
    HttpMethod.GET,
    "https://api.internal.com/v1/loyalty/points",
    grant_id=os.environ["LOYALTY_API_GRANT_ID"],
)

Frontend Code

// Call YOUR backend to create a session (using API key)
const { session_token } = await fetch('/api/connect/session').then(r => r.json());

// Open OAuth flow (no API key needed)
await alterConnect.open({
    token: session_token,
    onSuccess: (connections) => {
        // Each connection has a grant_id (UUID) — store it in your database
        for (const conn of connections) {
            console.log('Connected!', conn.grant_id, conn.provider);
        }
    }
});

Support