API
Return embedded OAuth to your app
Products that embed Mobius can return the browser to their own application
after a managed Gmail or Slack OAuth connection. The normal Mobius connection
flow is unchanged when you omit return_url and client_state.
There is no allowlist management screen in the app. An organization Owner or Admin configures it through the organization API.
Allowlist your origin
Replace the complete origin allowlist with:
PUT /v1/organization/oauth-return-origins
Authorization: Bearer <admin-api-key>
Content-Type: application/json
{
"origins": ["https://app.partner.example"]
}Each entry is an exact HTTPS origin: scheme, host, and optional non-default port. Paths, query strings, fragments, and embedded credentials are not valid origins. Mobius lowercases hosts, strips default ports, removes duplicates, and accepts at most 20 entries. Sending an empty array disables embedded return.
Read the current normalized list with:
GET /v1/organization/oauth-return-originsStart the connection
Add return_url and client_state to a supported connect request:
POST /v1/projects/platform/integrations/providers/gmail/connect
Authorization: Bearer <api-key>
Content-Type: application/json
{
"return_url": "https://app.partner.example/settings/integrations/callback",
"client_state": "connect_session_01J8"
}Open the response's redirect_url in the user's browser when kind is
redirect. The return URL may be up to 2,048 bytes. Its origin must exactly
match an allowlisted origin, and it cannot include a fragment or credentials.
client_state is an opaque value of at most 512 bytes. Generate it in your
backend, bind it to the signed-in user and connection attempt, and consume it
once after the browser returns. client_state without return_url is invalid.
Embedded return is supported by managed Gmail OAuth and the managed Slack app. The customer-owned Slack app flow rejects these fields.
Handle the callback
Mobius appends a closed set of query fields to your return_url:
| Field | When present | Meaning |
|---|---|---|
outcome | Always | connected, denied, or failed |
provider | Always | The provider ID, such as gmail or slack |
connection_id | Connected only | The persisted Mobius integration ID |
client_state | When supplied | Your opaque value, returned verbatim |
correlation_id | Always | Identifier to give support when investigating the callback |
error_code | Denied or failed | Stable code such as oauth_denied, oauth_failed, or invalid_state |
For example:
https://app.partner.example/settings/integrations/callback?outcome=connected&provider=gmail&connection_id=int_123&client_state=connect_session_01J8&correlation_id=cor_456Verify client_state before changing application state. On connected, store
the connection ID or refresh the provider status from Mobius. On denied, let
the user retry without treating the refusal as an application error. On
failed, record the correlation_id and show a retry path.
Revocation and fallback behavior
Mobius signs the return context into provider OAuth state and validates the origin both when the connection starts and when the provider calls back. Removing an origin therefore revokes in-flight returns to that origin.
If Mobius cannot authenticate the state, the origin is no longer allowed, or the final redirect would exceed 4,096 bytes, the browser falls back to the Mobius application. Do not assume every started attempt will reach the partner callback; reconcile provider status when your own attempt expires.
Next
- Connect Gmail or Slack.
- Use API keys and roles to limit who can replace the organization allowlist.
- Inspect the
replaceOAuthReturnOriginsrequest schema.