Developer Portal for YouTrack and Hub Help

OAuth 2.0 Authorization in Hub

Hub implementation of OAuth 2.0 supports several authentication/authorization flows. To access resources of Hub itself and services connected to Hub, a client should obtain an access token. The flow that the client may use depends on:

  • What information the client has (service credentials / user credentials).

  • Where from the client access resources (from a browser / from the server side / from a standalone application).

What Flow to Use?

You develop...

Flow to use

Required parameters

Additional requirement

A rich client web application with all authorization logic in browser

Implicit flowservice id

Handle in browser request with a grant from Hub

A web application with the authorization login on the server side

Authorization Code flow

service id, service secret

Handle request with a grant from Hub server on server side

A desktop or a mobile application able to request authorization token non-interactively

Refresh Token flow

service id, service secret

Handle request with a grant from Hub server on server side

A script that needs to access resources on behalf of itself

Client Credentials flow

service id, service secret


A script that needs to access resources on behalf of some user

Resource Owner Password Credentials flow

service id, service secret, username and password


What Information You Should Have


Is it required?


Client service IDAlways

An identifier (ID) of the service associated with the client in Hub.

Client service secret

Depends on flow

A secret for the service associated with the client in Hub.


An ID of the registered in Hub service associated with the resource server. For example, if the client wants to access issues in YouTrack, it should find out the id of YouTrack service in Hub.

The client can access more then one resource server with a single access token. In this case, the Scope is the space-separated list of the IDs of the services registered in Hub.

Client redirect URI

Depends on flow

An URI at the client application that can handle response from authorization server (Hub).


Depends on flow

End-user's username, or id, or email.


Depends on flow

End-user's password.

OAuth 2.0 Endpoints for Hub

For the Hub service, the OAuth 2.0 endpoints for authentication and token are:

  • Authentication endpoint URL: <Hub Service URL>/api/rest/oauth2/auth

  • Token endpoint URL: <Hub Service URL>/api/rest/oauth2/token

<Hub Service URL> is the URL that is configured for the Hub service in your network environment. For example, you have your company's server and a Hub service. You can configure Hub to be accessible by or, let's say Subsequently, the OAuth 2.0 endpoints are as follows, respectively:

  • For and

  • For and

If you need to get the user info and further data, please check the description of OpenID Connect endpoint.

Register Client as a Service

To enable authorization you should register your client as a Hub service. You can do it either in administrative UI or programmatically. Basically, you just send POST request on /services URL and get credentials of the newly created service in response.

Sample script for registering client as a service

The following sample script considers Hub service to be installed to and a client OAuth 2.0 service - to


POST /api/rest/services?fields=id,secret HTTP/1.1 Host: Accept: application/json Content-Type: application/json { "name": "My Service", "homeUrl": "", "redirectUris": [""], "applicationName": "My Service", "vendor": "Company Inc.", "version": "1.0" }


{ "id": "98071167-004c-4ddf-ba37-5d4599fdf319", "secret": "eAUyKgVfhSbV" }

You can later use service's id and secret for authorization.

Service in Hub can be either trusted or not. If a service is trusted, then it can access Hub resource servers on behalf of itself. Also, when a user is sent from the trusted service to authorize himself, the user sees no additional warning.

Last modified: 11 June 2024