Connect & Disconnect Flow
Overview
This guide explains how to implement the connect and disconnect flows for your published integration. When users discover your integration in Bokio, they can connect it to their company using OAuth 2.0 Authorization Code Flow.
Prerequisites:
- Registered Public API Integration with
client_idandclient_secret - Published integration with
ConnectRedirectUrlconfigured - Understanding of OAuth 2.0 Authorization Code Flow
Connect Flow
How It Works
When a user clicks "Connect" on your integration:
- Bokio redirects the user to your
ConnectRedirectUrl - Your integration redirects to Bokio's
/authorizeendpoint - User authorizes your integration
- Bokio redirects back with an authorization code
- You exchange the code for tokens
- User is redirected back to the integration page
Step 1: Handle Redirect from Bokio
Bokio redirects to your ConnectRedirectUrl with these query parameters:
| Parameter | Type | Description |
|---|---|---|
bokio_tenantid | UUID | The unique identifier of the company |
bokio_tenanttype | string | Always company |
redirect_url | URL | Where to redirect after connection completes |
Example:
https://your-integration.com/connect
?bokio_tenantid=1be29990-f977-4a62-bb03-f0e126e685d0
&bokio_tenanttype=company
&redirect_url=https://app.bokio.se/1be29990-f977-4a62-bb03-f0e126e685d0/integrations/your-integration-idStep 2: Redirect to Bokio OAuth
Your endpoint should:
- Generate a
stateparameter for CSRF protection - Store tenant info and redirect URL temporarily
- Redirect to Bokio's
/authorizeendpoint
For full details on the OAuth flow, see Authentication for Public Integrations.
Authorization Request:
GET https://api.bokio.se/v1/authorize
?client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&response_type=code
&state=YOUR_GENERATED_STATE
&scope=journal-entries:read invoices:read
&bokio_tenantid=1be29990-f977-4a62-bb03-f0e126e685d0
&bokio_tenanttype=company| Parameter | Required | Description |
|---|---|---|
client_id | Yes | Your integration's client ID |
redirect_uri | Yes | Your registered OAuth callback URL |
response_type | Yes | Must be code |
state | Yes | Random value for CSRF protection |
scope | Yes | Space-separated list of scopes |
bokio_tenantid | Yes | Pass through from marketplace redirect |
bokio_tenanttype | Yes | Pass through from marketplace redirect |
The
stateparameter is required by Bokio's OAuth implementation.
Step 3: Handle OAuth Callback
After user authorization, Bokio redirects to your redirect_uri:
https://your-integration.com/oauth/callback
?code=id2-4IE6ACIT5yIMB2ae5zVV4PrisE5-8q_ehKfezK4
&state=YOUR_GENERATED_STATEYour callback endpoint should:
- Validate the
stateparameter (the one you generated in Step 2) - Exchange the authorization code for tokens (see Step 4)
- Store the connection with tokens in your system
- Redirect the user back to
redirect_url(the Bokio URL from Step 1) - see Step 5
Authorization Code Expiration: Codes expire in 5 minutes.
Step 4: Exchange Code for Tokens
POST https://api.bokio.se/v1/token HTTP/1.1
Authorization: Basic Base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=id2-4IE6ACIT5yIMB2ae5zVV4PrisE5-8q_ehKfezK4&redirect_uri=YOUR_REDIRECT_URIResponse:
{
"connection_id": "abc12345-6789-...",
"tenant_id": "1be29990-f977-4a62-bb03-f0e126e685d0",
"tenant_type": "company",
"access_token": "tffNhGDZ1FCpEWMkHduTA9FBnvNptzWSUfIlbcBHpdG5YJL",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "RpV4TYS8Z1KnJHpAqPJzXtl5QDl6OuK6NrQJk2FfLrGzKiM"
}Store the
connection_idfrom this response. You will need it to manage the connection via the General API (e.g., when disconnecting).
Token Expiration:
- Access tokens expire in 1 hour
- Refresh tokens expire when used or if unused for 30 days
Step 5: Redirect Back
After storing the connection, redirect to the redirect_url from Step 1. The user will see their integration as "Connected".
Security: Always validate that theredirect_urlpoints to abokio.sedomain before redirecting. This prevents open redirect attacks.
Disconnect Flow
Options
Bokio supports two disconnect options:
| Option | Description | When to Use |
|---|---|---|
| Custom Disconnect | Redirect to your custom page | Need cleanup, custom messaging, or feedback |
| Direct Disconnect | Bokio handles immediately | Simple integrations, faster UX but no notification |
Option 1: Custom Disconnect (Recommended)
Configure a DisconnectRedirectUrl in your integration's publish information.
Flow:
- User clicks "Disconnect" on your integration
- Bokio redirects to your
DisconnectRedirectUrl - Your integration processes the disconnect (optional cleanup)
- Call the Bokio DELETE connection API (required)
- Redirect to the
callback_urlwith status
Disconnect URL Parameters
| Parameter | Type | Description |
|---|---|---|
connectionId | UUID | The connection to disconnect |
callback_url | URL | Where to redirect after processing |
state | string | Encrypted state for security validation |
Example redirect to your integration:
https://your-integration.com/disconnect
?connectionId=abc12345-...
&callback_url=https://api.bokio.se/api/publicintegration/disconnect-callback?...
&state=STATE_VALUEBokio includes a
stateparameter that must be passed back to the callback URL unchanged
Delete Connection API
Use the General API to delete the connection. First, obtain an access token using Client Credentials Grant.
Get Access Token:
POST https://api.bokio.se/v1/token HTTP/1.1
Authorization: Basic Base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentialsDelete Connection:
DELETE https://api.bokio.se/v1/connections/{connectionId}
Authorization: Bearer {access_token}Use the connection_id that you stored from the token response when the user connected.
Responses:
| Status | Description |
|---|---|
204 | Connection deleted successfully |
403 | Not allowed to delete this connection |
404 | Connection not found |
Redirect to Callback
After processing, redirect to the callback_url with a status parameter:
Always validate that the
callback_urlpoints to abokio.sedomain before redirecting. This prevents open redirect attacks.
| Status | Value | Description |
|---|---|---|
| Success | success | Disconnect completed successfully |
| Error | error | Disconnect failed |
| Warning | warning | Disconnect succeeded with warnings |
| Cancelled | cancelled | User cancelled |
Additional Parameters:
error: Error code (for error status)message: Detailed message for display
Example redirect:
{callback_url}?state={state-from-disconnect-redirect}&status=successOr with error:
{callback_url}?state={state-from-disconnect-redirect}&status=error&error=api_error&message=Failed%20to%20delete%20connectionOption 2: Direct Disconnect
If you don't configure a DisconnectRedirectUrl, Bokio handles disconnection directly:
- User clicks "Disconnect"
- Bokio deletes the connection immediately
- User sees updated connection status
Use this for simple integrations without cleanup requirements.
Connections API Reference
The General API provides endpoints to manage connections.
List Connections
GET https://api.bokio.se/v1/connections
Authorization: Bearer {access_token}Query Parameters:
| Parameter | Type | Description |
|---|---|---|
page | integer | Page number (default: 1) |
pageSize | integer | Items per page (default: 20, max: 100) |
tenantId | UUID | Filter by specific tenant |
Response:
{
"items": [
{
"id": "abc12345-...",
"tenantId": "1be29990-...",
"tenantName": "My Company AB",
"type": "company"
}
],
"page": 1,
"pageSize": 20,
"totalItems": 1,
"totalPages": 1
}Get Connection by ID
GET https://api.bokio.se/v1/connections/{connectionId}
Authorization: Bearer {access_token}Delete Connection by ID
DELETE https://api.bokio.se/v1/connections/{connectionId}
Authorization: Bearer {access_token}Best Practices
Security
- Always validate the
stateparameter in OAuth callbacks - Use HTTPS for all redirect URLs
- Store tokens securely with encryption at rest
- Exchange authorization codes immediately (5-minute expiry)
- Use Client Credentials Grant for General API access
User Experience
- Provide clear feedback during connect/disconnect
- Handle errors gracefully with user-friendly messages
- Always redirect back to the provided URLs
- Minimize friction in the connect flow
Implementation
- Store the
connection_idfrom the token response - you need it for disconnect - Test both connect and disconnect flows thoroughly
- Handle edge cases (expired codes, invalid tokens)
- Log connection events for debugging
- Support reconnection after disconnection
- Clean up resources properly during disconnect
Configuration Summary
Required
| Setting | Purpose |
|---|---|
client_id | OAuth client identifier |
client_secret | OAuth client secret |
redirect_uri | OAuth callback URL |
ConnectRedirectUrl | Marketplace connection entry point |
Optional
| Setting | Purpose |
|---|---|
DisconnectRedirectUrl | Custom disconnect page URL |
Error Handling
Connection Errors
| Symptom | Common Causes | Solutions |
|---|---|---|
| Cannot connect | URL not configured, not HTTPS | Verify ConnectRedirectUrl |
| OAuth fails | Invalid credentials, URI mismatch | Check registration |
| State invalid | Not validated or tampered | Validate state correctly |
Disconnection Errors
| Symptom | Common Causes | Solutions |
|---|---|---|
| Connection remains | DELETE failed, wrong token | Use General API token |
| 404 response | Invalid ID | Verify connection exists |
| 403 response | Wrong integration | Check ownership |
Related Documentation
Updated about 1 month ago