Cobalt makes use of the API credentials and access tokens authorised by your end customers to authenticate the api calls to that particular application on their behalf. Once the end customer goes through the auth flow, Cobalt saves the encrypted tokens and keys and refreshes them if/when required to maintain the functionality of the created orchestration.

However, there certain limitations where Cobalt can no longer authenticate the API on behalf of your end customers.

  1. The provided API credentials for eg: API keys, API secrets has been expired
  2. The access token or refresh token of the end customer has been revoked
  3. The refresh token of the end customer has been expired
  4. The end customer uninstalls the application
  5. The user deletes the application being used by their customer

In the above scenarios, Cobalt would not have the required authorizations to make api calls on behalf of the customer. For such scenarios Cobalt flags an application integration for reauth-required for the customer and they would need to re-authenticate for the orchestration to function again.

Handling re-auth

When any of the above mentioned scenarios occur, Cobalt sets a flag reauth-required for the application integration of the customer. You could find this in the application response object. See below -

cURL
  curl --request GET \
  --url https://api.gocobalt.io/api/v2/public/application \
  --header 'linked_account_id: <linked_account_id>' \
  --header 'x-api-key: <x-api-key>'

below is a sample response with an application with expired authentication.

Response
 [
    {
        "name": "Slack",
        "icon": "https://cobalt-app-logos.s3.ap-south-1.amazonaws.com/slack/logo.png",
        "description": "Slack is a platform for team communication: everything in one place, instantly searchable, available wherever you go. Offering instant messaging, document sharing and knowledge search for modern teams.",
        "auth_type": "oauth2",
        "tags": [
            "Communication"
        ],
        "version": {
            "_v": "1.0.0",
            "description": "Slack is a platform for team communication: everything in one place, instantly searchable, available wherever you go. Offering instant messaging, document sharing and knowledge search for modern teams."
        },
        "connected": true,
        "connected_accounts": [
            {
                "identifier": "Cobalt",
                "connectedAt": "2023-05-31T07:45:59.841Z"
            }
        ],
        "slug": "slack",
        "reauth_required": true
    },
    ...
]

This re-authentication flow is handled by the Hosted flow and the Embeded flow where the user would be asked to re-connect if the application authentication has been expired.

Application with expired authentication

If you have been using the Seamless flow for customizing the code on the client side, just check for the reauth_required field in the application list response, and use the .connect() method to connect to the application again.

Re-authentication
cobalt.connect("slack") // opens a new tab for re-authentication
cobalt.connect("twilio", {
  number: "<credential>",
  sid: "<credential>",
}) // saves the new auth data for key based apps

Checkout the auth methods for more details.

Reconnect app with expired auth

Getting notified using webhook.

Cobalt supports webhook subscription for an event when an application auth gets expired for a linked account. You would need to subscribe for the event Connection Expired. Cobalt would then notify you whenever an app connection expires and provide details about the application and the account,

Webhook payload
{
 "linked_account_id": "12345",
 "org_id": "645270e37917442c4307297a",
 "environment": "test",
 "type": "General",
 "event": "Connection Expired",
 "slug": "pipedrive",
 "createdAt": "Tue, 07 Nov 2023 08:38:33 GMT"
}
Webhook subscription for connection expired

Checkout Cobalt webhooks for more details.

Seamless FlowApp Settings