What is managed auth?
Nango Auth handles the entire authentication lifecycle so you don’t have to. Instead of implementing OAuth flows, storing tokens, and handling refresh logic for every API your product integrates with, you embed Nango’s auth flow and Nango takes care of everything. This means:- OAuth 2.0 and OAuth 1.0a flows are handled end-to-end, including the redirect, token exchange, and storage
- API keys and basic auth are collected from users and stored securely
- Token refresh happens automatically before credentials expire — your code always gets a valid token
- Credential storage is encrypted at rest; you retrieve credentials on demand, not ahead of time
Core concepts
Provider
Provider
A Provider is a third-party API that Nango has pre-built support for — for example, GitHub, Salesforce, or Slack. Nango supports 700+ providers, each with pre-configured OAuth settings, token refresh behavior, and auth type.You don’t configure anything at the provider level. Providers are ready to use.
Integration
Integration
An Integration is your configured connection to a provider. You create an integration in the Nango dashboard by selecting a provider and entering your OAuth app credentials (client ID and client secret).Each integration has a unique key you reference in the SDK and API. For example, you might have a
github integration or a github-prod integration to separate environments.Connection
Connection
A Connection is created when one of your users successfully completes an auth flow. It stores that user’s credentials for a specific integration and keeps them valid over time.Connections are identified by a connection ID that you define — typically a user ID, workspace ID, or similar identifier from your system. You retrieve credentials from a connection whenever you need to make an API call on behalf of that user.
Supported auth types
| Type | Description |
|---|---|
| OAuth 2.0 | Standard authorization code flow with automatic token refresh |
| OAuth 1.0a | Legacy OAuth flow for APIs like Twitter v1 and Trello |
| API key | Single-token auth; collected from users via the Connect UI |
| Basic auth | Username and password credentials stored securely |
| Custom | Multi-step or non-standard flows supported for specific providers |
The auth lifecycle
Authorization
Your user clicks “Connect” in your product. Nango’s Connect UI opens and guides them through the provider’s login and permission grant. For OAuth, Nango manages the redirect flow automatically. For API keys, the Connect UI shows a form to collect the key.
Token storage
After the user authorizes, Nango stores the credentials (access token, refresh token, API key, etc.) in encrypted storage. A connection is created with a unique ID that you save in your database.
Auto-refresh
Nango monitors token expiry and proactively refreshes OAuth tokens before they expire. When you call
nango.getConnection() or use the Proxy, you always receive a valid token — no refresh logic needed in your code.Capabilities
- OAuth 2.0, OAuth 1.0a, API keys, basic auth, and custom auth schemes
- Fully white-labeled Connect UI embeddable in your product
- API-specific guidance shown to users during authorization
- Encrypted credential storage with on-demand retrieval
- Automatic token refresh with proactive expiry detection
- 700+ supported APIs, with new APIs added on demand
- Credential failure detection and re-connection flows
- Per-connection diagnostics and authorization logs
Next steps
Implement auth
Set up the authorization flow in your backend and frontend.
Connect UI
Customize and embed the white-label auth interface in your product.
Connection management
List, retrieve, update, and delete connections programmatically.