Skip to main content
BundleUp supports two ways to authenticate and connect an external account: popup-based authentication and redirect-based authentication. Both methods ultimately produce the same result a connection ID. They differ only in how the user completes authorization.

Method 1: Popup-based authentication (no redirect URL)

Popup-based authentication is designed for modern web applications where you want to keep the user on the same page and avoid full-page redirects. In this flow, you create a connection session without providing a redirect URL. You then open a BundleUp-hosted authorization page in a popup window. The user completes authentication inside the popup, and once authorization succeeds, the popup closes and the connection ID is returned to your application. Because the popup communicates directly with your application, no redirect URL is required and no server-side callback endpoint is needed. This approach is ideal for dashboards, embedded onboarding flows, and single-page applications where maintaining UI context is important.

Method 2: Redirect-based authentication (with redirect URL)

Redirect-based authentication is the traditional OAuth flow and works well for server-driven or multi-page applications. In this flow, you create a connection session and provide a redirect URL. You then redirect the user’s browser to BundleUp’s authorization endpoint. The user is redirected to the external provider to grant access, and once authorization is complete, BundleUp redirects the user back to your specified redirect URL. The redirect includes the connection ID as a query parameter. Your backend or frontend callback handler captures this value and stores it for future use. This approach is ideal when popups are not possible or desirable, such as mobile browsers, strict content security policies, or backend-controlled authentication flows.

Choosing the right method

Popup-based authentication provides a smoother user experience and requires less backend setup, but it depends on the browser allowing popups and client-side JavaScript. Redirect-based authentication is more universally supported and easier to reason about in backend-driven systems, but it involves a full-page navigation and requires a registered redirect URL. Both methods are equally secure and result in the same connection object inside BundleUp.

End result

No matter which authentication method you choose, the outcome is the same. You receive a connection ID that represents a single external account. From that point on, all API calls are made through the BundleUp proxy using that connection ID, without any further user interaction or OAuth handling. The authentication flow exists only to create the connection. Once the connection ID exists, authentication is effectively complete.