Skip to main content
BundleUp uses a two-step authorization flow to securely connect external accounts and produce a connection ID you can use for all proxy requests. This flow cleanly separates user authorization from API execution and ensures that sensitive credentials are never exposed to the browser.

The authorization flow has 2 steps:

  1. Create a connection session → get a short-lived session token
  2. Authorize the session → complete OAuth and receive a connection ID
Untitleddiagram 2025 12 28 233014

Backend requirement

The connection session must be created from your backend. Creating a session requires your BundleUp API key, and API keys must never be exposed on the frontend. Your frontend should only ever receive the session token, which is short-lived and safe to pass to the browser. The session token is used exclusively to complete user authorization and cannot be used to make proxy requests. At no point should your frontend have access to your BundleUp API key.

After authorization

Once the user completes authorization and a connection is created, BundleUp returns a connection ID. From that point on, OAuth is complete and never needs to be repeated unless the connection is revoked or expires. All future API requests are made using the connection ID and your API key from the backend.