home

Zephr

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZephr

Configure third-party authentication

Get the user token

Learn how to obtain the user token by locating the authorization code in the developer tools pane and exchanging it for an access token.

You can see the authorization code that must be used in the first API call in the developer tools pane.

To locate the authorization code, complete the following steps:

  1. In the consent page, right-click to display the context menu.
  2. Select Inspect. The developer tools pane displays.
  3. Select Network from the options in the developer tool pane. If you cannot see Network , select the arrows to display more options
  4. Select the Allow button in the consent page The authorization code is displayed in the developer tools pane as illustrated below: thirdparty_authcode.png
The endpoint token exchange call is on the Admin Console. The token exchange uses Basic Authorization, which uses the Client ID and Client Secret shown in the Third Party Authentication screen.
Note: The Client ID and Client Secret are displayed in the Third Party Authentication screen if you have enabled OAuth 2.0 in the third-party authentication settings and saved the site.

The payload must contain the following:

  • Authorization code
  • Redirect URI
  • Grant Type

For example, the following cURL request uses an authorization code of Basic , a redirect URL of https://thirdpartyurl.com/auth/callback and a grant type of authorization_code : 

curl --location --request POST
'https://console.zephr.com/zephr/oauth2/token' \
--header 'Authorization: Basic
ZzQya3R1dXl5cHE5Om12dty2x3bXJycGgwNW95YjBzdmVud2V0OQ==' \
--header 'Content-Type: application/json' \
--data-raw '{
    "code": "kcpa10fzqa9nmut95duwok0c",
    "redirect_uri": "https://thirdparyurl.com/auth/callback",
    "grant_type": "authorization_code"
        }'

The response body returned for a successful token exchange request is similar to the following:

{
    "scope": "user.account:read, user.profile:read",
    "access_token": "oa_rrcly8rsusfc1e5sdgxzv8uh",
    "token_type": "bearer",
    "expires_in": 3600,
    "refresh_token": "1if5j2aaverj80tx2nvvvutq",
    "user_id": "68c0f5ae-f857-408f-a9d6-f511df0f8ae8"
}

The access code from the response body is used in a second API call using bearer token authentication to get or update the user information. For further information on the API calls, refer to the Public API documentation. If the access token for the user has expired, you can use the refresh_token parameter in the API call, as shown in the following example cURL command: 

curl --location --request POST
'https://console.zephr.com/zephr/oauth2/token' \
--header 'Authorization: Basic
ZzQya3R1dXl5cHE5Om12d2x3bXJycGgwNW95YjBzdmVud2V0OQ==' \
--header 'Content-Type: application/json' \
--data-raw '{
    "refresh_token": "1if5j2aaverj80tx2nvvvutq",
    "grant_type": "refresh_token"
        }'

Last updated: October 10, 2025