Documentation Index Fetch the complete documentation index at: https://noorle.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Connected Apps let external applications (SaaS, integrations, mobile apps) access your Noorle account on your behalf. You remain in control—you can revoke access anytime.How It Works User Authorizes App App Accesses Your Account App: "I need to list your agents" │ └─ Sends request with access token curl -H "Authorization: Bearer eyJ..." \ https://api.noorle.com/agents │ └─ Noorle verifies token └─ Allows access (user approved) └─ Returns: Your agents
User Revokes Access Console → Settings → Connected Apps ├─ MyApp (connected 3/22) │ ├─ Permissions: read, execute │ ├─ Last used: Today 2:30 PM │ └─ [Revoke] │ └─ All tokens immediately invalid App can't access anymore
Registering an App Dynamic Registration (Recommended) If app supports dynamic registration (OpenID Connect), simply connect:
User clicks "Connect Noorle" │ └─ App registers dynamically ├─ Sends app details to Noorle ├─ Noorle generates client_id, client_secret ├─ User authorizes └─ App gets access token
No manual registration needed. App self-registers on first use.Manual Registration For legacy apps, register in Console:
Console → Developer → OAuth Apps ├─ Create App │ ├─ App name: "MyAnalytics" │ ├─ Description: "Analytics integration" │ ├─ Redirect URI: https://myapp.example.com/callback │ ├─ Logo URL: https://myapp.example.com/logo.png │ │ │ └─ Generated credentials: │ ├─ client_id: "app_abc123xyz" │ └─ client_secret: "secret_def456uvw" │ (save securely, don't share)
OAuth Scopes Request only permissions you need:
Available scopes: ├─ read (list, view resources) ├─ execute (run agents, call tools) ├─ manage (create, update resources) ├─ admin (full control, delete) └─ offline_access (get refresh token)
Example: Data Analytics App Scopes: read offline_access Why: ├─ read = can view agents, memory, results ├─ NOT execute = can't run agents (just read data) ├─ offline_access = refresh token for background jobs
Example: Bot Management Console Scopes: read execute manage offline_access Why: ├─ read = view agents ├─ execute = run agents for user ├─ manage = let user create agents ├─ offline_access = refresh token for 24/7 monitoring
OAuth Flow Details 1. Authorization Request App sends user to Noorle:
https://auth.noorle.com/oauth/authorize? client_id=app_abc123xyz &scope=read%20execute%20offline_access &redirect_uri=https://app.example.com/callback &state=random-string-to-prevent-csrf &response_type=code
Parameters:
client_id - App identifierscope - Permissions app is requestingredirect_uri - Where to send user after authstate - Random string (app verifies after redirect)response_type - Always “code”
2. Authorization Code After user approves, Noorle redirects:
https://app.example.com/callback? code=AUTH_CODE_123 &state=random-string-to-prevent-csrf
App verifies: // Verify state matches (prevents CSRF) if ( request . state !== session . state ) { throw new Error ( "State mismatch - possible CSRF" ); } // Exchange code for token
3. Token Exchange App exchanges code for access token (backend call):
POST https://api.noorle.com/oauth/token Body: { "grant_type" : "authorization_code", "code" : "AUTH_CODE_123", "client_id" : "app_abc123xyz", "client_secret" : "secret_def456uvw" // backend only! } Response: { "access_token" : "eyJhbGciOiJIUzI1NiIs...", "refresh_token" : "eyJhbGciOiJIUzI1NiIs...", "expires_in" : 3600, "token_type" : "Bearer" }
4. Access Protected Resources App now calls Noorle APIs:
curl -H "Authorization: Bearer eyJhbGc..." \ https://api.noorle.com/agents Response: { "agents" : [ { "id" : "...", "name": "ResearchBot" }, { "id" : "...", "name": "SupportBot" } ] }
Monitoring Connected Apps View All Connected Apps Console → Settings → Connected Apps ├─ App1 │ ├─ Status: Active │ ├─ Scopes: read execute │ ├─ Connected: March 22, 2024 │ ├─ Last used: March 22, 2:30 PM │ └─ Actions: [Revoke] │ ├─ App2 │ ├─ Status: Active │ ├─ Scopes: read offline_access │ ├─ Connected: February 15, 2024 │ ├─ Last used: Never │ └─ Actions: [Revoke] │ └─ App3 ├─ Status: Inactive (pending confirmation) └─ Actions: [Approve] [Deny]
Revoke Access # Via Console (instant) Console → Settings → Connected Apps → [App Name] → [Revoke] # Via API DELETE /api/account/oauth-clients/{client_id}/authorization
Immediate effects:
All tokens invalidated
App cannot make API calls
App receives 401 Unauthorized
Refresh Tokens If app requested offline_access scope, it has refresh token:
Access token expires (1 hour) │ └─ App uses refresh token to get new access token │ └─ No user interaction needed App continues working in background
Example: Daily Report Generator 1. User connects app (scope: offline_access) 2. User goes away 3. 11 PM: App wakes up, needs to run report 4. App's access token expired 5. App refreshes using refresh token 6. Generates report (automatic) 7. User wakes up to report in inbox
Security Considerations 1. Verify SSL Certificate Only connect over HTTPS:
// INSECURE: HTTP redirect const redirectUri = "http://app.example.com/callback" ; // Token could be intercepted // SECURE: HTTPS redirect const redirectUri = "https://app.example.com/callback" ; // TLS encryption protects token
2. Protect Client Secret Backend only, never in browser:
// BAD: Client secret in browser const clientSecret = "secret_def456uvw" ; // Anyone can view in network tab // GOOD: Client secret on backend // Stored in .env file, Docker secret, etc. // Never sent to browser
3. Use PKCE (Mobile Apps) Mobile apps should use PKCE to protect authorization code:
Mobile App │ ├─ Generate random string (code_verifier) │ ├─ Send to Noorle │ + code_challenge (hash of code_verifier) │ ├─ Receive authorization code │ └─ Exchange code for token + code_verifier (proves app = same as before) (Attacker can't intercept and use code)
Common Patterns Pattern: Analytics Dashboard App wants to show user’s agents in dashboard.
{ "app_name" : "Analytics Dashboard" , "scopes" : [ "read" , "offline_access" ], "flow" : "User authorizes once. App periodically fetches agent metrics." }
User benefits:
Can revoke anytime
Metrics stay up-to-date
No manual data export needed
Pattern: Slack Integration Slack app wants to create agents in user’s Noorle account.
{ "app_name" : "Slack to Noorle" , "scopes" : [ "read" , "execute" , "manage" , "offline_access" ], "flow" : "User authorizes. Slack app creates agents, executes them, reports back." }
User benefits:
Agents are created in their account (they own them)
Can modify/delete agents anytime
Can revoke Slack access anytime (agents remain)
Troubleshooting Problem Solution ”invalid_client” Client ID/secret incorrect. Check registration. ”invalid_scope” Scope not supported. Check available scopes. ”state mismatch” CSRF protection failed. Session may have expired. Try again. ”code expired” Authorization code valid for 10 minutes only. Re-authorize. ”insufficient_scope” Token doesn’t have required permission. Re-authorize with correct scopes.
Best Practices
Request Minimum Scopes Don’t ask for admin if read is sufficient. Users trust apps that ask for less.
Clear App Description Tell user exactly what you’ll do. Be specific about scope usage.
Monitor Token Use Log when app accesses user’s data. Be transparent about usage.
Support Revocation Handle 401 Unauthorized gracefully. Prompt user to re-authorize if needed.
Next: Learn about Roles and Permissions for access control. 
