Skip to main content

Connected App in Frappe Framework (v15)

Introduction: What Is a Connected App?

A Connected App in Frappe Framework v15 enables secure, OAuth-based authentication for external applications that need to access ERPNext or Frappe APIs.

It acts as a trusted bridge between Frappe and third-party systems, ensuring:

  • Controlled API access
  • Token-based authentication
  • Secure permission handling

Connected Apps are essential for modern ERP integrations.

What Is a Connected App in Frappe?

A Connected App is a DocType in Frappe that defines:

  • OAuth client credentials
  • Redirect URLs
  • Allowed scopes
  • Authorization flow

It is used when an external system needs authenticated access to Frappe resources.

Why Use a Connected App?

Use a Connected App when:

  • Integrating mobile or web applications
  • Connecting ERPNext with external platforms
  • Exposing APIs securely
  • Avoiding hard-coded API keys

Connected Apps follow OAuth 2.0 standards, making integrations secure and scalable.

How Does a Connected App Work?

A Connected App uses the OAuth 2.0 Authorization Code flow:

  1. External app requests authorization
  2. User grants access
  3. Frappe issues an authorization code
  4. App exchanges code for access token
  5. API requests use the token

This flow is built-in and standardized in Frappe v15.

Prerequisites

Before creating a Connected App, ensure:

  • Frappe Framework v15 is installed
  • You have System Manager permissions
  • API access is enabled
  • HTTPS is used for production

How to Create a Connected App in Frappe?

Step-by-Step Instructions

  1. Go to Desk → Connected App
  2. Click New
  3. Fill in required fields
  4. Save the record

Key Fields in Connected App (v15)

Field Name Description
App Name Display name of the integration
Client ID Auto-generated OAuth client ID
Client Secret Secure client secret
Redirect URI Callback URL after authentication
Scopes Allowed API access levels
Default Redirect URI Fallback redirect

All fields are native to Frappe v15.

Supported OAuth Scopes

Scopes define what the external app can access.

Common scopes include:

  • openid
  • profile
  • email
  • all (full API access)

Use least-privilege access for security.

OAuth Authorization Flow (Frappe v15)

Authorization Endpoint

/api/method/frappe.integrations.oauth2.authorize

Token Endpoint

/api/method/frappe.integrations.oauth2.get_token

These endpoints are official and stable in v15.

Example: Authorization Request

https://your-site.com/api/method/frappe.integrations.oauth2.authorize?
response_type=code&
client_id=CLIENT_ID&
redirect_uri=REDIRECT_URI&
scope=all

After approval, Frappe redirects with an authorization code.

Example: Token Exchansge

POST /api/method/frappe.integrations.oauth2.get_token

Payload:

{
"grant_type": "authorization_code",
"code": "AUTH_CODE",
"client_id": "CLIENT_ID",
"client_secret": "CLIENT_SECRET",
"redirect_uri": "REDIRECT_URI"
}

Using the Access Token

Once obtained, include the token in API requests:

Authorization: Bearer ACCESS_TOKEN

This token grants access based on assigned scopes.

Real-World Use Cases

Mobile Applications

  • ERPNext mobile apps
  • Field sales apps

Third-Party Integrations

  • Payment gateways
  • CRM platforms
  • Analytics tools

Internal Microservices

  • Secure service-to-service communication

Industry Relevance

Connected Apps are widely used in:

  • Manufacturing ERP
  • Finance & Accounting
  • Logistics & Supply Chain
  • Real Estate ERP systems

They enable secure, auditable integrations.

Best Practices for Connected Apps

  • Use HTTPS for redirect URIs
  • Rotate client secrets regularly
  • Restrict scopes tightly
  • Monitor token usage

Common Mistakes to Avoid

Mistake Risk
Using all scope unnecessarily Over-permission
Hard-coding secrets Security breach
Skipping HTTPS Token leakage
Sharing client credentials Unauthorized access

Troubleshooting Common Issues

Invalid Redirect URI

  • Ensure exact match with registered URI
  • Check protocol and trailing slashes

Token Not Issued

  • Verify client credentials
  • Confirm authorization code validity

API Access Denied

  • Check scopes
  • Verify user permissions

Integration Patterns

Connected Apps work well with:

  • REST API integrations
  • Mobile authentication flows
  • External dashboards

They are upgrade-safe and framework-native.

Target Audience

  • ERPNext Developers
  • Frappe Framework Consultants
  • Integration Architects
  • SaaS & Mobile App Developers

Summary: Secure Integrations with Connected Apps

In Frappe Framework v15, Connected Apps provide a secure, standardized, OAuth-based mechanism for external access.

They replace unsafe API key usage and ensure:

  • Better security
  • Controlled access
  • Scalable integrations

Connected Apps are the recommended approach for modern ERPNext integrations.

Rating: 0 / 5 (0 votes)

© 2026 | goERPNext | All rights reserved