OAuth in Voiden

In the world of API design, authentication is not a detail - it's architecture.

Yet, in many API clients, authentication is abstracted away, treated as a quiet dropdown or a hidden side panel. While this works, it can hide crucial mechanisms, leading to confusion, duplication, and fragile configurations that are difficult to manage as a system evolves.

Voiden was built to challenge this model. Because Voiden is fundamentally based on composable blocks, authentication is not a hidden configuration. It is a first-class, reusable unit in your API system, making dependencies explicit and structure transparent.Authentication as a First-Class Block

In Voiden, authentication settings are not duplicated across requests or buried inside environment configurations. They exist as visible, versionable, and reusable blocks.

Why this matters:
Transparency: When you view a request, you immediately see how authentication is attached. There is no hidden behavior or silent injection of headers.
Coherence: When credentials rotate or token formats change, you update the modular block once. Every request that references it reflects the change, maintaining system-wide coherence.
Full Support for OAuth 1.0 and OAuth 2.0

Voiden allows you to integrate both signature-based legacy systems and modern delegated authorization within the same modular framework.1. OAuth 1.0 Authorization Block

Although older, OAuth 1.0 remains vital in certain enterprise environments where signature-based verification is preferred. In Voiden, this is a dedicated Authorization Block, created by typing /auth-oauth1 in your file.
Parameter
Description
consumer_key
The public identifier for your application.
consumer_secret
The private key used in generating request signatures.
access_token
The token representing the user’s authorization.
token_secret
The secret tied to the access token.
signature_method
The cryptographic algorithm for signing the request (e.g., HMAC-SHA1).

1. OAuth 2.0 Authorization Block

OAuth 2.0 is the modern standard used by most major identity providers (Google, GitHub, Microsoft). It’s also implemented as a modular Authorization Block, created by typing /auth-oauth2.
Parameter
Description
access_token
The token issued by the authorization server granting access to protected resources.
token_type
Specifies the token type (commonly "Bearer").
header_prefix
The prefix added before the token in the Authorization header (e.g., Authorization: Bearer ).

OAuth Flow Tips and Gotchas

For those working with complex OAuth 2.0 flows, here are essential tips to ensure a smooth integration:Callback URL & Port Whitelisting
Voiden listens for the OAuth redirect on http://localhost:9090/callback by default.
Critical: This exact URL must be registered in your OAuth provider's dashboard under "Allowed Redirect URIs" (or equivalent). Mismatches, even a trailing slash, will cause rejection.
The Discover Button
If your provider supports OpenID Connect, you can use the Discover button (available in Authorization Code and Implicit flows).
Simply enter the provider's root URL (e.g., https://accounts.google.com/), and Voiden will automatically look up and populate the required auth_url, token_url, and scope fields.
Advanced Settings Control

Collapsed by default, these settings offer fine-grained control:
add_token_to: Determines where the token is attached (most APIs expect the Header).
header_prefix: The word before the token (default: Bearer). Change this only if explicitly required by your API.
variable_prefix: Used to namespace stored token variables (default: oauth2). Crucial to prevent collisions: Assign a unique prefix (e.g., google, github) to every OAuth2 block to avoid authentication errors when using multiple providers.
client_auth: Controls how client_id and client_secret are sent during token exchange (in the Body or as a Basic Auth header).
Auto-Refresh

Enable Auto-Refresh via the checkbox for silent token renewal. For this feature to work:
Your provider must return a refresh_token during the initial token exchange.
Token configuration (like token_url and client_id) is snapshotted when you first click Get Token. If you edit these fields later, you must click Get Token again to update the snapshot.
You have a 120-second timeout to complete the browser login after clicking Get Token.
By treating OAuth as a composable, visible block, Voiden helps engineers think architecturally instead of administratively, ensuring that authentication is a robust part of the system, not a vulnerable side note.

If you believe API tooling should move beyond better forms and toward better system design, Voiden is worth exploring

Take a look at us here : https://voiden.md/

Github : https://github.com/VoidenHQ/voiden