What if my authorization URL is dynamic?

Any dynamic values you need for your authorization process, can be passed through the process using the state parameter.

Utilizing the state parameter #

Whilst the primary reason for the state parameter is documented as preventing CSRF, it can also be used to add dynamic values to your OAuth flow, instead of using them directly in your redirect_uri value.

It is common for the parameter to be a JSON string, which is then encrypted using an algorithm, for example, SHA256:

    "csrf": "random-string",
    "user_id": "1234-abcd",
    "redirect": "/settings/dashboard"

In this case, redirect_uri value of


where userID=1234-abcd and redirect are dynamic values, will then become:


When you receive the request at the end of the OAuth process, the state parameter can be decrypted and the various values within it used as necessary. The encryption ensures that users cannot tamper with the contents and so you can be confident the values within it can be trusted.

You can learn more about the usage of a state parameter here.

Adding additional URIs for your application #

We can add additional URIs to your applications allowed list upon request. To do this, please email these addresses, along with your client_id, to support@cronofy.com.