Skip to main content


In the previous section I highlighted the existence, and importance, of two endpoints:

For an external system that has validity and purpose outside of Noona, the developers might want to allow the flow from that side (and maybe exclusively so and omit the App Store flag when creating the app).

In that scenario the flow is:

  1. User clicks 'Connect to Noona' in external system.

  2. External system redirects user to:

    and as we can see the required query parameters are being populated.

    Why pass in redirect_uri?

    A single OAuth application might have multiple redirect URIs specified. So one of those URIs must be explicitly specified when starting the flow.

  3. Noona handles consent and redirects the user to the redirect_uri from step 2 with:

    • An Authorization Code
    • The state variable if it was provided
    • The scopes that the user gave consent for
  4. External application knows what user just finished the flow from the state variable it sent during step 2. So the application can exchange the authorization code for a refresh/access token using the token endpoint and connect it to the user identified by the state variable.

  5. It can now call Noona API using the access token with the Bearer authentication scheme.

    curl '' --header 'Authorization: Bearer <access-token>'

Again, for more detailed guides visit the App Store Section.