This page documents OAuth endpoints used by Tools web integrations.
oauth.slack.start/oauth/slack/startGET or POSTauth:webStarts the Slack OAuth flow and redirects to Slack oauth/v2/authorize.
oauth.slack.callback/oauth/slack/callbackGETauth:webSlack redirects back here with code and state.
oauth.slack.callback-url/oauth/slack/callback-urlGETauth:webReturns the currently computed callback URL in JSON:
{
"callback_url": "https://tools.tornevall.com/oauth/slack/callback"
}
oauth.soundcloud.start/oauth/soundcloud/startPOSTauth:webExpected payload:
{
"provider_app_id": 1,
"target_owner_type": "system",
"target_owner_id": null
}
oauth.soundcloud.callback/oauth/soundcloud/callbackGETauth:webReceives provider callback values (state, code, error, error_description).
oauth.microsoft.start/oauth/microsoft/startoauth.microsoft_todo.start/oauth/microsoft-todo/startPOSTauth:webStarts the shared Microsoft OAuth flow for the currently logged-in user.
oauth.microsoft.start_link/oauth/microsoft/start-linkoauth.microsoft_todo.start_link/oauth/microsoft-todo/start-linkGETauth:webCreates a fresh signed Microsoft OAuth state and redirects directly to Microsoft from one normal clickable browser URL.
oauth.microsoft.callback/oauth/microsoft/callbackoauth.microsoft_todo.callback/oauth/microsoft-todo/callbackGETReceives provider callback values (state, code, error, error_description) and stores the current per-user Microsoft connection used by Microsoft To Do today. When the original browser session is gone, Tools now recreates the matching web session from the signed OAuth state before redirecting the user back into the Microsoft To Do integration page.
/api/microsoft/oauth/start/api/microsoft-todo/oauth/startGETPOST /api/account/loginReturns one Microsoft authorization URL for the authenticated user together with the callback URL currently expected by this host.
/api/microsoft/auth/statusGETPOST /api/account/loginReturns the shared Microsoft auth/platform-app readiness for the authenticated user, including callback/start URLs and tenant/account-type diagnostics that are not tied only to Microsoft To Do list/task counts.
The current X mention-bot does not complete a browser-based OAuth exchange. It still uses static server-side X_BOT_* credentials from .env.
If you receive X OAuth 2.0 client credentials during app setup, store them in:
X_OAUTH2_CLIENT_IDX_OAUTH2_CLIENT_SECRETX_OAUTH2_REDIRECT_URIIf the X dashboard also shows generated OAuth 2.0 user tokens, store them in:
X_OAUTH2_ACCESS_TOKENX_OAUTH2_REFRESH_TOKENThose are reserved for a future callback-driven OAuth2 flow and are separate from the current OAuth1-style posting credentials X_BOT_ACCESS_TOKEN and X_BOT_ACCESS_TOKEN_SECRET.
However, Tools now exposes a public callback placeholder so there is a real URL available for X app registration when a callback field is required:
oauth.x.callback/oauth/x/callbackGETThis route currently acts as an informational landing page and placeholder only. It does not yet exchange or store X OAuth tokens.
oauth.x.callback-url/oauth/x/callback-urlGETReturns JSON containing the currently computed X callback URL.
For Slack app configuration, use:
https://tools.tornevall.com/oauth/slack/callbackhttps://tools.tornevall.net/oauth/slack/callbackIf SLACK_REDIRECT_URI is configured, that value is used as the effective redirect URI and should be registered in Slack App settings.
For the shared Microsoft / Microsoft Graph app configuration, register the callback matching the current environment:
https://tools.tornevall.com/oauth/microsoft/callbackhttps://tools.tornevall.net/oauth/microsoft/callbackLegacy callback aliases under /oauth/microsoft-todo/callback still work, but the generic /oauth/microsoft/callback route is now the recommended registration target for one shared Microsoft / Graph app that may later also serve broader integrations such as Microsoft Copilot-style flows.
If MICROSOFT_REDIRECT_URI is configured, that value becomes the effective redirect URI and should be registered in the Microsoft Entra app as well. Legacy MICROSOFT_TODO_REDIRECT_URI is still accepted as a compatibility alias.
If you expect personal Microsoft accounts (@outlook.com, @hotmail.com, @live.com), use tenant common or consumers and make sure the Azure app registration itself is enabled for personal accounts (MSA). If not, Microsoft commonly responds with unauthorized_client.
For X app registration, if you need a callback URL field even though the current bot uses static credentials, use:
https://tools.tornevall.com/oauth/x/callbackhttps://tools.tornevall.net/oauth/x/callbackWhen the Microsoft To Do platform app is not environment-managed, the shared app settings can now also be saved from /settings/integrations/microsoft-todo by an acknowledged admin. The page shows the same recommended callback URL together with additive diagnostics about missing platform-app fields.