Apidog Docs
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
Discord Community
Slack Community
X / Twitter
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
  1. Best Practices
  • Apidog Learning Center
  • Getting Started
    • Introduction to Apidog
    • Basic Concepts in Apidog
    • Navigating Apidog
    • Quick Start
      • Overview
      • Creating an Endpoint
      • Making a Request
      • Adding an Assertion
      • Creating Test Scenarios
      • Sharing API Documentation
      • Explore More
    • Migration to Apidog
      • Overview
      • Manual Import
      • Scheduled Import (Bind Data Sources)
      • Import Options
      • Export Data
      • Import From
        • Import from Postman
        • Import OpenAPI Spec
        • Import cURL
        • Import Markdowns
        • Import from Insomnia
        • Import from apiDoc
        • Import .har File
        • Import WSDL
  • Design APIs
    • Overview
    • Create a New API Project
    • Endpoint Basics
    • APl Design Guidelines
    • Module
    • Configure Multiple Request Body Examples
    • Components
    • Common Fields
    • Global Parameters
    • Endpoint Change History
    • Comments
    • Batch Endpoint Management
    • Custom Protocol API
    • Schemas
      • Overview
      • Create a New Schema
      • Build a Schema
      • Generate Schemas from JSON Etc
      • oneOf, allOf, anyOf
      • Using Discriminator
    • Security Schemes
      • Overview
      • Create a Security Scheme
      • Use the Security Scheme
      • Security Scheme in Online Documentation
    • Advanced Features
      • Custom Endpoint Fields
      • Associated Test Scenarios
      • Endpoint Status
      • Appearance of Parameter Lists
      • Endpoint Unique Identification
  • Develop and Debug APIs
    • Overview
    • Generating Requests
    • Sending Requests
    • Debugging Cases
    • Test Cases
    • Dynamic Values
    • Validating Responses
    • Design-First vs Request-First
    • Generating Code
    • Environments & Variables
      • Overview
      • Environment Management
      • Using Variables
    • Vault Secrets
      • Overview
      • HashiCorp Vault
      • Azure Key Vault
      • AWS Secrets Manager
    • Pre and Post Processors
      • Assertion
      • Extract Variable
      • Wait
      • Overview
      • Using Scripts
        • Overview
        • Pre Processor Scripts
        • Post Processor Scripts
        • Public Scripts
        • Postman Scripts Reference
        • Calling Other Programming Languages
        • Using JS Libraries
        • Visualizing Responses
        • Script Examples
          • Assertion Scripts
          • Using Variables
          • Modifying Requests
          • Other Examples
      • Database Operations
        • Overview
        • MySQL
        • MongoDB
        • Redis
        • Oracle Client
    • Dynamic Values Modules
  • Mock API Data
    • Overview
    • Smart Mock
    • Custom Mock
    • Mock Priority Sequence
    • Mock Scripts
    • Cloud Mock
    • Self-Hosted Runner Mock
    • Mock Language (Locales)
  • API Testing
    • Overview
    • Test Scenarios
      • Create a Test Scenario
      • Pass Data Between Requests
      • Flow Control Conditions
      • Sync Data from Endpoints and Endpoint Cases
      • Import Endpoints and Endpoint Cases from Other Projects
      • Export Test Scenarios
    • Run Test Scenarios
      • Run a Test Scenario
      • Run Test Scenarios in Batch
      • Manage Runtime Environment of APIs from Other Projects
      • Data-Driven Testing
      • Scheduled Tasks
    • Test Suite
      • Overview
      • Create A Test Suite
      • Orchestrate Test Suite
      • Run Test Suites Locally
      • Run Test Suites Via CLI
      • Scheduled tasks
    • Test Reports
      • Test Reports
    • Test APIs
      • Integration Testing
      • Performance Testing
      • End-to-End Testing
      • Regression Testing
      • Contract Testing
    • Apidog CLI
      • Overview
      • Installing and Running Apidog CLI
      • Apidog CLI Options
    • CI CD
      • Overview
      • Integrate with Gitlab
      • Integrate with Jenkins
      • Trigger Test by Git Commit
      • Integrate with Github Actions
  • Publish API Docs
    • Overview
    • API Technologies Supported
    • Quick Share
    • Viewing API Documentation
    • Markdown Documentation
    • Publishing Documentation Sites
    • Custom Layouts
    • Custom CSS, JavaScript, HTML
    • Custom Domain
    • LLM-Friendly Features
    • SEO Settings
    • Advanced Settings
      • Documentation Search
      • CORS Proxy
      • Integrating Google Analytics with Doc Sites
      • Folder Tree Settings
      • Visibility Settings
      • Embedding Values in Document URLs
    • API Versions
      • Overview
      • Creating API Versions
      • Publishing API Versions
      • Sharing Endpoints with API Versions
  • Send Requests
    • Overview
    • SSE Debugging
    • MCP Client
    • Socket.IO
    • WebSocket
    • Webhook
    • SOAP or WebService
    • GraphQL
    • gRPC
    • Use Request Proxy Agents for Debugging
    • Create Requests
      • Request History
      • Request Basics
      • Parameters and Body
      • Request Headers
      • Request Settings
      • Debug Requests
      • Saving Requests as Endpoints
      • HTTP/2
    • Response and Cookies
      • Viewing API Responses
      • Managing Cookies
      • Overview
    • Authentication and Authorization
      • Overview
      • CA and Client Certificates
      • Authorization Types
      • Digest Auth
      • OAuth 1.0
      • OAuth 2.0
      • Hawk Authentication
      • Kerberos
      • NTLM
      • Akamai EdgeGrid
  • Branches
    • Overview
    • Creating a Sprint Branch
    • Testing APIs in a Branch
    • Designing APIs in a Branch
    • Merging Sprint Branches
    • Managing Sprint Branches
  • AI Features
    • Overview
    • Enabling AI Features
    • Generating Test Cases
    • Modifying Schemas with AI
    • Endpoint Compliance Check
    • API Documentation Completeness Check
    • AI-Powered Field Naming
    • FAQs
  • Apidog MCP Server
    • Overview
    • Connect Apidog Project to AI
    • Connect Published Documentation to AI
    • Connect OpenAPI Files to AI
  • Best Practices
    • Handling API Signatures
    • Accessing OAuth 2.0 Protected APIs
    • Collaboration Workflow
    • Managing Authentication State
  • Offline Space
    • Overview
  • Administration
    • Onboarding Checklist
      • Basic Concepts
      • Onboarding Guide
    • Managing teams
      • Managing Teams
      • Managing Team Members
      • Member Roles & Permission Settings
      • Team Activities
      • Team Resources
        • General Runner
        • Team Variables
        • Request Proxy Agent
      • Real-time Collaborations
        • Team Collaboration
    • Managing Projects
      • Managing Projects
      • Managing Project Members
      • Notification Settings
      • Project Resources
        • Database Connection
        • Git Connection
    • Managing Organization
      • Managing Organization
      • Single Sign-On (SSO)
        • SSO Overview
        • Configure Microsoft Entra ID
        • Configure Okta
        • Configure SSO for an Organization
        • Managing user accounts
        • Mapping Groups to Teams
      • SCIM Provisioning
        • Intro to SCIM Provisioning
        • Microsoft Entra ID
        • Okta
      • Organization Resources
        • Self-hosted Runner
      • Plans management
        • Billing managers in organization
  • Billing
    • Overview
    • Credits
    • Unable to use credit cards
    • Managing subscriptions
    • Upgrade plan
    • How to move a paid team to a organization
  • Data & Security
    • Apidog data storage location and security
    • User data privacy and storage location
    • Request routing and data security
  • Add-ons
    • API Hub
    • Apidog Intellij IDEA plugin
    • Browser Extension
      • Chrome
      • Microsoft Edge
    • Request Proxy
      • Request proxy in Apidog web
      • Request proxy in shared docs
      • Request proxy in Apidog client
  • Account & preferences
    • Account settings
    • Generate OpenAPI access token
    • Notification
    • Language settings
    • Hot keys
    • Network proxy configuration
    • Data backup
    • Updating Apidog
    • Deleting account
    • Experimental Features
  • References
    • API-Design First Approach
    • Apidog OpenAPI Specificaiton Extensions
    • JSONPath
    • XPath
    • Regular Expressions
    • JSON Schema
    • CSV File Format
    • Install Java Environment
    • Runner deployment environment
    • Apidog flavored Markdown
  • Apidog Europe
    • Apidog Europe
  • Support Center
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
Discord Community
Slack Community
X / Twitter
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
  1. Best Practices

Accessing OAuth 2.0 Protected APIs

OAuth 2.0 is an authorization framework that allows users to grant third-party applications permission to access services on their behalf, eliminating the need for repetitive credential entry while ensuring security and flexibility.
This guide demonstrates how to debug OAuth 2.0 APIs using Apidog, with Google account sign-in as a practical example.

Understanding the OAuth 2.0 Flow#

In a typical OAuth 2.0 scenario:
Client: Your website or application
Authorization Server: The service providing authentication (e.g., Google)
Resource Server: The service hosting protected resources

Prerequisites#

Before testing OAuth 2.0 APIs, ensure you have:
An OAuth client registered with the authorization server (e.g., Google API Console Project)
Client ID and client secret credentials
Configured redirect URIs
If you haven't registered a Google API Console Project, refer to the official documentation to create a new OAuth client.

OAuth 2.0 Authorization Flow#

Step 1: Request User Authorization#

When a user clicks the "Sign in with Google" button, your website sends a request to Google's OAuth 2.0 authorization server to obtain permission to access the user's Google account.
Sign in with Google button
The authorization request is sent to https://accounts.google.com/o/oauth2/v2/auth/ with the following parameters:
ParameterRequiredDescription
client_idRequiredThe client ID for your application from the API Console Credentials page
redirect_uriRequiredWhere the API server redirects the user after authorization. Must exactly match one of the authorized redirect URIs in your OAuth 2.0 client configuration
response_typeRequiredSet to code for web server applications to receive an authorization code
scopeRequiredSpace-delimited list of scopes identifying the resources your application can access on the user's behalf
access_typeRecommendedonline (default) or offline. Use offline if your application needs to refresh access tokens when the user is not present
stateRecommendedAny string value to maintain state between your authorization request and the authorization server's response
This table shows the basic parameters required by Google OAuth 2.0. Many other optional parameters are available to customize the user experience and security. See the official documentation for complete details.

Step 2: User Grants Authorization#

Google presents a consent screen requesting permission to access the specified resources.
Possible outcomes:
User approves: Google sends an authorization token to your web server
User denies: Google sends an error message to your web server

Step 3: Exchange Authorization Code for Access Token#

After the user grants permission, the authorization code is included in the response. The response appears in the query string:
# Error response
http://example.com/#error=access_denied&state=state_parameter_passthrough_value

# Success response
http://example.com/#state=state_parameter_passthrough_value&access_token=***&token_type=Bearer&expires_in=***&scope=email%20https://www.googleapis.com/auth/userinfo.email%20openid&authuser=0&prompt=consent
Extract the access token from the URL to use with other Google API services.

Step 4: Access Protected Resources#

Using the Openidconnect API as an example, you can access the user's Google account information by sending a request with the access token.
Testing in Apidog:
1.
Create a new request in your Apidog project
2.
Use the URL: https://openidconnect.googleapis.com/v1/userinfo?access_token=ACCESS_TOKEN
3.
Replace ACCESS_TOKEN with your actual token
4.
Click Send
Sending request with access token in Apidog

Step 5: Receive User Information#

Google verifies the access token's validity and determines the associated authorized client.
Possible outcomes:
Valid token: Google responds with the user's information
Invalid/expired token: Google responds with an error message
Successful response with user information
The API response is a JSON object containing the user's Google account information, such as picture and email. Your website can use this data to automatically display the user's profile without manual entry.

Benefits of Using Apidog for OAuth 2.0 Testing#

Using Apidog to debug OAuth 2.0 APIs provides:
Clear visibility into parameters required by upstream and downstream processes
Optimized development experience with visual parameter management
Workflow validation before writing code
Reduced debugging time during implementation
Once the complete workflow is successfully executed in Apidog, backend developers can confidently write code to complete the business process without needing to verify while developing.

References#

Google OAuth 2.0 Documentation
πŸ“„ Example Web Page Source Code
HTML:
JavaScript:
Modified atΒ 2026-01-23 07:17:04
Previous
Handling API Signatures
Next
Collaboration Workflow
Built with