Skip to content

An OAuth app is the combination of a client, a set of endpoints (i.e. urls where various requests should be sent), and an authentication mechanism. A client consists of at least a client_id, and also often a client_secret. You'll get these values when you create the client on the API's website.


  secret = NULL,
  key = NULL,
  auth = c("body", "header", "jwt_sig"),
  auth_params = list(),
  name = hash(id)



Client identifier.


Url to retrieve an access token.


Client secret. For most apps, this is technically confidential so in principle you should avoid storing it in source code. However, many APIs require it in order to provide a user friendly authentication experience, and the risks of including it are usually low. To make things a little safer, I recommend using obfuscate() when recording the client secret in public code.


Client key. As an alternative to using a secret, you can instead supply a confidential private key. This should never be included in a package.


Authentication mechanism used by the client to prove itself to the API. Can be one of three built-in methods ("body", "header", or "jwt"), or a function that will be called with arguments req, client, and the contents of auth_params.

The most common mechanism in the wild is "body" where the client_id and (optionally) client_secret are added to the body. "header" sends the client_id and client_secret in HTTP Authorization header. "jwt_sig" will generate a JWT, and include it in a client_assertion field in the body.

See oauth_client_req_auth() for more details.


Additional parameters passed to the function specified by auth.


Optional name for the client. Used when generating the cache directory. If NULL, generated from hash of client_id. If you're defining a client for use in a package, I recommend that you use the package name.


An OAuth client: An S3 list with class httr2_oauth_client.


oauth_client("myclient", "", secret = "DONTLOOK")
#> <httr2_oauth_client>
#> name: 920903ca1274bc747bb367c6b5abe4a4
#> id: myclient
#> secret: <REDACTED>
#> token_url:
#> auth: oauth_client_req_auth_body