# Custom OAuth The built-in connectors cover GitHub, Linear, and Slack, but plenty of services aren't on that list. **Custom OAuth** lets you connect any service that supports **OAuth 2.0**. You supply the provider's details and your own credentials, and the connection then works the same way as a preset. ## When to Use Custom OAuth Reach for custom OAuth when the service you want isn't one of the built-in presets. If it **is** a preset, use that instead, since the preset hides the provider's credentials and saves you the setup. Use custom OAuth for everything else that signs users in with OAuth 2.0. ## Connecting a Custom Provider 1. **Open the Integration menu**: In the **Agent Chat**, click **the Plus button** in the composer, click ** Integration**, and select **Other OAuth Provider**. 2. **Register Glaze with the provider**: In the provider's developer settings, create an OAuth application and add Glaze's redirect URL so the provider can hand the connection back. This is where you get the **client ID** the app will use. ```text https://www.glaze.app/api/oauth/callback ``` 3. **Supply the provider details**: Describe what the service requires, typically its **authorization URL**, **token URL**, your **client ID**, and the **scopes** the app needs. Some providers also require a **client secret**. The agent wires these into the app's OAuth service for you. 4. **Authorize in your browser**: When you run the app and sign in, Glaze opens the provider's sign-in page in your browser. Approve the request, and the provider sends you back to finish the connection. ## What You Supply A custom connection needs the same pieces every OAuth provider defines. You'll usually find these in the provider's API or developer documentation: - **Authorization URL**: where the browser sends you to approve access. - **Token URL**: where the access token is exchanged after you approve. - **Client ID**: the identifier for your registered OAuth application. - **Scopes**: the specific kinds of access the app is requesting. - **Client secret**: only if the provider requires one. > [!WARNING] > A desktop app can't keep a client secret truly private. Prefer providers that support public clients with **PKCE**, the standard way for desktop apps to connect without a secret. Only add a secret when the provider requires it, and treat it as recoverable rather than confidential. ## Setting Scope **Scopes** decide what the connected app can touch, so request only what a feature needs. The provider's docs list the scopes it supports and what each one allows. ## Testing the Connection To confirm a custom connection works, ask the agent to build a simple read, like showing your profile or a small list, then run the app and sign in. The running app is what holds the OAuth access, not the agent, so the check happens in the app. A quick read tells you everything is wired up before you build a larger feature on top of it. If authorization opens but doesn't complete, check the client ID, the redirect URL, and whether the provider requires PKCE or a client secret. ## Where to Go Next Once your provider is connected, build with it the way you would any integration. See [Writing Effective Prompts](/prompting/writing-effective-prompts) to describe the feature, and [Managing Connections](/integrations/managing-connections) to re-authorize or revoke access later. Your access token is stored encrypted on your Mac, protected by the Keychain, never in plain text. Also see [Glaze Privacy & Data](/account/privacy-and-data) for more information.