Vacation Tracker Docs
OAuth2 Authorization

OAuth2 Authorization

Vacation Tracker's OAuth2 server for third-party application authorization.

Vacation Tracker provides an OAuth2 authorization server that allows third-party applications to access user data on behalf of authenticated users. The server implements the Authorization Code Grant flow (RFC 6749 Section 4.1).

Overview

  • Grant type: Authorization Code (confidential clients only)
  • Token format: JWT (issued by AWS Cognito)
  • Token lifetime: Access tokens expire after 60 minutes, refresh tokens after 365 days
  • Authorization codes: Single-use, expire after 10 minutes
  • PKCE: Not supported — security relies on client secrets, state parameter, and redirect URI validation

How it works

  1. Your application redirects the user to Vacation Tracker's authorization endpoint
  2. The user logs in with their Vacation Tracker account and grants permission
  3. Vacation Tracker redirects back to your application with an authorization code
  4. Your application exchanges the code for access and refresh tokens
  5. Use the access token to call protected API endpoints

Base URL

All OAuth2 endpoints are served under the /oauth path:

https://api.app.vacationtracker.io/oauth

Integrations using OAuth2

The Zapier integration uses this OAuth2 flow to authenticate users when connecting their Vacation Tracker account to Zapier. See the Zapier Setup Guide for how the authorization flow works in practice.

Next steps

Setup Guide

Step-by-step guide to connecting Vacation Tracker with Zapier.

Authorization Code Flow

Step-by-step walkthrough of the OAuth2 Authorization Code Grant flow.

On this page

OverviewHow it worksBase URLIntegrations using OAuth2Next steps