Does the OAuth domain to be the same as the plugin api domain?


I was going through your documentation to implement the OAuth flow.
As we are building a tool helping plugin creators to implement SignIn through our platform, I wanted to know if that’s okay if the API plugin domain is not the same as the AUTH domain.

Here is an example (truncated) manifest:

    "auth": {
      "type": "oauth",
      "client_url": "",  << DIFFERENT URL
      "authorization_url": "", << DIFFERENT URL
      "authorization_content_type": "application/json",
    "api": {
        "type": "openapi",
        "url": "", << DIFFERENT URL
        "is_user_authenticated": false

In this example you can see API domain is whereas AUTH domain is

Would that be okay?

Let me know if that needs to be clarified :slight_smile:

Thanks for your response :slight_smile:

Hi @kevinpiac

You might find reading domain security and verification guidelines helpful.

Hey @sps ,

Thanks for your answer!

Actually, I might be missing something but I don’t find any response to my question on this page.

The documentation explains the domain constraints related to contact_info, legal_info and api.url but there is no constraint mentioned for authorization and client_url (auth flow).

Please let me know if I’m missreading something. :slight_smile:

Thanks for clarification.

Yes indeed there doesn’t seem to be any such requirement about the authorization url directly mentioned in the docs.